The Interpose PUF: Secure PUF Design against …to obtain a software model of a PUF by using...

The Interpose PUF: Secure PUF Design againstState-of-the-art Machine Learning Attacks

Phuong Ha Nguyen1, Durga Prasad Sahoo2, Chenglu Jin1,Kaleel Mahmood1, Ulrich Rührmair3 and Marten van Dijk1

1 University of Connecticut,phuong_ha.nguyen,chenglu.jin,kaleel.mahmood,[email protected]

2 Bosch India (RBEI/ESY), [email protected] LMU München, [email protected]

Abstract. The design of a silicon Strong Physical Unclonable Function (PUF) that islightweight and stable, and which possesses a rigorous security argument, has beena fundamental problem in PUF research since its very beginnings in 2002. Variouseffective PUF modeling attacks, for example at CCS 2010 and CHES 2015, haveshown that currently, no existing silicon PUF design can meet these requirements. Inthis paper, we introduce the novel Interpose PUF (iPUF) design, and rigorously proveits security against all known machine learning (ML) attacks, including any currentlyknown reliability-based strategies that exploit the stability of single CRPs (we arethe first to provide a detailed analysis of when the reliability based CMA-ES attackis successful and when it is not applicable). Furthermore, we provide simulations andconfirm these in experiments with FPGA implementations of the iPUF, demonstratingits practicality. Our new iPUF architecture so solves the currently open problem ofconstructing practical, silicon Strong PUFs that are secure against state-of-the-artML attacks.

Keywords: Arbiter Physical Unclonable Function (APUF), Majority Voting, ModelingAttack, Strict Avalanche Criterion, Reliability based Modeling, XOR APUF, CMA-ES,Logistic Regression, Deep Neural Network.

1 IntroductionA Physical Unclonable Function (PUF) is a fingerprint of a chip which behaves as aone-way function in the following way: it leverages process manufacturing variation togenerate a unique function taking “challenges” as input and generating “responses” asoutput. Silicon PUFs were introduced in 2002 by Gassend et al. [GCvDD02] and are anemerging hardware security primitive in various applications such as device identification,authentication and cryptographic key generation [MV10, KGM+08, YMSD11, BFSK11].The fundamental open problem of strong silicon PUFs is: How to design a PUF that islightweight, strong and secure. Below we explain each of these three properties and discusscurrent PUF designs that do not satisfy all of these properties. We also propose a newPUF design, the Interpose PUF (iPUF) to solve this open problem.

Lightweight and Strong Design. A lightweight design must have a small number ofgates (small area) and in addition only limited digital computation is allowed with only asmall number of gate computations and without the need for accessing additional memory.This lightweight implementation gives a small hardware footprint and high throughput. Astrong PUF is one that has a large number of Challenge-Response Pairs (CRPs) which are

Licensed under Creative Commons License CC-BY 4.0.IACR Transactions on Cryptographic Hardware and Embedded Systems Vol. 0, No.0, pp.1—48,DOI:XXXXXXXX

mailto:phuong_ha.nguyen,chenglu.jin,kaleel.mahmood,[email protected]

mailto:[email protected]

mailto:[email protected]

http://creativecommons.org/licenses/by/4.0/

https://doi.org/XXXXXXXX

2The Interpose PUF: Secure PUF Design against State-of-the-art Machine Learning

Attacks

impractical to enumerate.1

Security Argument. We consider an adversarial model in which an attacker attemptsto obtain a software model of a PUF by using information extracted from measuredCRPs. Intrinsically, a PUF hides a “random” function, and learning such functions frominput-output pairs is the field of machine learning – therefore, security must be arguedwith respect to the best-known applicable machine learning techniques. In practice wemeasure the security of a PUF by the number of required CRPs for modeling the PUFwith a sufficiently high prediction accuracy (e.g. 90%).

Current PUF Designs. Current strong PUFs designs can generally be placed intoone of three categories. 1. Strong PUFs without rigorous security arguments, e.g., thePower Grid PUF [HAP09], Clock PUF [YKL+13], Crossbar PUF [RJB+11]. 2. StrongPUFs based on the Arbiter PUF (APUF) or APUF design which have been broken bymachine learning based attacks as discussed in Section 2, e.g., the XOR APUF [SD07],the Feed-Forward PUF [LLG+05], LSPUF (Lightweight Secure PUF) [MKP08], BistableRing PUF [CCL+11], and MPUF (Multiplexer PUF) [SMCN18]. 3. Strong PUFs withsecurity proofs but are not lightweight, e.g., LPN PUF (Learning Parity with Noise basedPUF) [HRvD+17, JHR+17].

Machine Learning Categorization. In this paper we divide the best-known machinelearning attacks on PUFs into two types. The first type of attacks which use non-repeatedmeasurements of CRPs, are denoted as Classical Machine Learning (CML). We furtherdescribe various CML attacks in Section 2. The CML security arguments for the iPUF arebased on the theoretical arguments developed for the x-XOR APUF. It has already beenproven that for the x-XOR APUF, if x is large enough then it is secure against knownCML attacks [Söl09, RSS+10, TB15]. In this paper, we prove an equivalence relationshipbetween the (x, y)-iPUF and x-XOR APUF such that the developed theoretical frameworkfor CML for the x-XOR APUF can be applied to the iPUF. Specifically, if y is chosenlarge, then the iPUF is theoretically secure against CML, just like the x-XOR APUF. Inthis way, we can re-use the XOR APUF CML security framework without having to createand prove an entirely new CML security framework. However, regardless of how large x is,the x-XOR APUF is still vulnerable to a second type of machine learning attacks.

The second type of machine learning attacks we discuss in this paper are attacks thatuse repeated CRP measurements [DV13, Bec15] (see Section 2 for more details). Wedenote these types of attacks as reliability-based machine learning. In this paper we provethese attacks are unable to model the iPUF. Overall, the iPUF is secure against CMLattacks and reliability-based machine learning attacks. Moreover, it is as lightweight asan XOR APUF. Hence, the iPUF replaces the XOR APUF as a next-generation securelightweight strong PUF.

Contributions. In this paper, our contributions are as follows.

• Reliability-based CMA-ES (Covariance Matrix Adaptation Evolution Strategy) attacks.Through theoretical study, rigorous simulation and experimentation we explain whythe most prevalent reliability-based machine learning attack works on APUFs andXOR APUF. Moreover, we show under what circumstances the attack fails. Tothe best of our knowledge, we are the first ones to work on these two problems. Inaddition, we propose enhanced reliability-based CMA-ES attacks which are muchmore powerful than the original one.

• Interpose PUF (iPUF). We propose a novel APUF based PUF design called theiPUF. The iPUF is a lightweight, strong secure PUF design that solves the openfundamental problem of silicon PUFs. We show that the iPUF can prevent CML

1Assuming no additional physical limitation on the read-out speed of CRPs from the PUF.

Phuong Ha Nguyen, Durga Prasad Sahoo, Chenglu Jin, Kaleel Mahmood, UlrichRührmair and Marten van Dijk 3

attacks that use derivative based calculations (i.e. Logistic Regression) as well asthe main reliability-based machine learning attack (i.e. reliability-based CMA-ES).Moreover, by showing the similarity between the iPUF and XOR APUF, we canprove that the iPUF is secure against deep neural network attacks and CRP-basedCMA-ES attacks which are the most powerful classical attacks applicable to theiPUF.

• Open Source Library. We provide open source code on GitHub2 for all our simulationsand experiments. This includes code for machine learning attacks on APUF, XORAPUF and iPUF in Matlab, C#, and Python. Code to create various PUF modelson FPGA hardware is also given.

Paper Organization. The paper is organized as follows.The background on machine learning attacks is presented in Section 2. Section 3 briefly

introduces the APUF and iPUF designs. Here, we also explain the road map to provethe resistance of the iPUF against all known modeling attacks, and introduce the specificchosen set of parameters for a practical secure iPUF (see Section 3.4). After that, wegive a short description of reliability-based CMA-ES on XOR APUF and introduce itsenhanced variant on APUF and XOR APUF in Section 4.

Section 5 provides a comprehensive study of reliability-based CMA-ES on XOR APUF,i.e., why it works and when it fails. We move to the security analysis of iPUF regard-ing classical machine learning attacks and reliability-based machine learning attacks inSection 6. We explicitly provide the security conjecture used for iPUF security and thedesign philosophy of iPUF (see Section 6.1). We introduce the notions Contributionand Equivalence to show the relationship between iPUF and XOR APUF in Section 6.3.With the developed understanding of reliability-based CMA-ES, the knowledge of theequivalence between iPUF and XOR APUF, we now can show the resistance of the iPUFagainst all known attacks, i.e., the reliability-based CMA-ES attack, the special class ofmachine learning attacks developed only for iPUF (coined linear approximation attacks,see Section 4.3), the Logistic Regression (LR) attacks, the Deep Neural Network attacks,the CRP-based CMA-ES attacks, the Boolean function based attacks, Deterministic FiniteAutomata attacks and Perceptron attacks used for PAC learning framework in Section 6.5.Section 7 studies the strict avalanche criteria (SAC) and the reliability property of theiPUF.

We provide detailed simulations to support the analysis of iPUF in Section 8. Section 9presents the results for the iPUF implemented in FPGA. Here, we experimentally andtheoretically explain the impact of bad implementations and good implementations on thesecurity of the iPUF. We conclude our paper in Section 10. Moreover, we also provide abrief description of APUF and XOR APUF in Appendix A.1, the influence of a challengebit on the output of an APUF in Appendix A.2, Multiplexer PUF’s vulnerability withrespect to the reliability-based CMA-ES attack in Appendix A.3, and k-junta test inAppendix A.4.

2 Background on Machine Learning Attacks on PUFs

In this section we discuss background information related to the evolution of machinelearning attacks on PUFs.

2URL: https://github.com/scluconn/DA_PUF_Library


Attacks

2.1 Classical Machine Learning Attacks BackgroundClassical Machine Learning (CML) was first introduced in 2004, where the 64 bit APUF wasshown to be vulnerable with respect to Support Vector Machine (SVM) [Lim04, LLG+05].The most efficient CML attack on APUF and XOR APUF [RSS+10, TB15] is LogisticRegression (LR) which uses non-repeated measurements of CRPs. LR was used to breakAPUFs and XOR APUFs in 2010 [RSS+10]. Rührmair et al. [RSS+10] demonstrated howthe x-XOR APUF for x ≤ 5 can be modeled with at least 98% accuracy using LR withnon-repeated measurements of CRPs. The state-of-the-art implementation of LR breaksthe 64 bit x-XOR APUF up to x ≤ 9 and a 128 bit x-XOR APUF up to x ≤ 7 [TB15].For larger x the XOR APUF has been shown to resist LR due to the subexponentialrelationship between x and the amount of training data required to model the XOR APUF[Söl09, RSS+10, TB15].

Many PUF designs based on the APUF can also be broken using CML. The BistableRing PUF borrows from the APUF design and can be broken like the APUF using aneural network [SH14] or SVM [XRHB15]. The Feed-Forward APUF (FFA) [LLG+05]is another variant of the APUF and can be broken using SVM, LR and ES (EvolutionStrategy) for ≤ 8 feedforward positions [RSS+10]. For a larger number of feedforwardpositions the FFA becomes unreliable and is therefore not considered to be practical. TheLightweight Secure PUF (LSPUF) [MKP08] is a variant of the XOR APUF with multipleoutputs. The LSPUF is based on the x-XOR PUF and consequently is vulnerable to LR[SNMC15] when x ≤ 9.

Another type of classical machine learning is the Probably Approximately Correct(PAC) [GTS15, GTS16, GTFS16] attack. PAC learning provides a framework to learnthe maximum number of CRPs required for modeling an XOR PUF, with given levels ofaccuracy and final model delivery confidence. The Perceptron algorithm used in the PAClearning framework is shown to be successful against the x-XOR APUF for x ≤ 4 [GTS15]and the Deterministic Finite Automata (DFA) [GTS16] algorithm can be used to modelAPUF. We note that DFA in [GTS16] can be modified to further attack x-XOR APUF,but the necessary modification is not fully explained. If we compare the LR attack onXOR APUF in [Söl09, RSS+10, TB15] with the Perceptron attack or with the DFA attackon XOR APUF in [GTS15], we can see that the LR attack is much more powerful. This isbecause that LR has a much smaller search space, uses a mathematical model of the XORAPUF, and uses gradient information in an optimization process. Therefore, we only focuson the LR attack for XOR APUF in this paper. In addition, there is one Boolean functionbased attack related to the PAC learning framework [GTFS16]. However we show that itis inapplicable to APUFs, XOR APUFs and iPUFs in Section 6.5.

In this paper we focus on the main classical machine learning attacks: LR, Deep NeuralNetwork [GBC16] (DNN) and Covariance Matrix Adaptation Evolution Strategy (CMA-ES) [Han16]. LR is considered as the most powerful attack on XOR APUF because it is agradient-based optimization and it uses the mathematical model of XOR APUF [Söl09,RSS+10]. Since DNN is considered as one of the most powerful black box attack (i.e.,does not require any mathematical model of the PUF), it is an interesting case for study.CMA-ES is a gradient free algorithm (i.e., the gradient is not used for finding the desiredmodel) and this property makes it different from algorithms that require gradient basedcomputations (i.e., the LR algorithm). By considering LR, DNN and CMA-ES algorithms,we complete the study of classical machine learning attacks on APUF-based PUFs (i.e.,XOR APUF and iPUF).

2.2 Reliability-based Machine Learning Attacks BackgroundThe first reliability-based attack was proposed in [DV13], where the authors used reliabilityinformation and Least Mean Square optimization method to attack APUF only. In other


words, this attack in [DV13] is not applicable to XOR APUFs. Later on, Becker [Bec15]was able to break the XOR APUF (and as a consequence the LSPUF) with a linearcomplexity in x using a non-classical ML attack which uses the reliability information ofCRPs and the CMA-ES method. Reliability information can be extracted from repeatedmeasurements of responses belonging to the same challenge [DV13]. This allows an attackerto measure the sensitivity of a response to environmental noise caused by e.g. temperatureand voltage variations.

In this paper we refer to attacks that use repeated CRP measurements as reliability-basedmachine learning attacks.3

Note that if responses are not sensitive to environmental noise, i.e., the PUF is veryreliable, then Becker’s reliability-based CMA-ES attack is not applicable. For this reasonone may want to add digital circuitry to the PUF in the form of a fuzzy extractor [DRS04]or an interface that exploits the LPN problem [HRvD+17, JHR+17], but these techniquesare not lightweight and therefore do not solve the stated fundamental problem. A morelightweight solution is presented in [WGM+17] where the reliability of an x-XOR APUFis enhanced using majority voting. However, this is not sufficiently lightweight as thesame circuitry (including memory for storing a counter) needs to be executed repeatedly alarge number of times which implies a large number of gate evaluations and reduction inthroughput. But more importantly, majority voting does not prevent the reliability-basedCMA-ES attack as the environment can be pushed to extremes in order to make thePUF more unreliable again. In [SMCN18], a new PUF design was introduced but it isalso not secure against CMA-ES attack (see Algorithm 1 in Section 5 in [SMCN18] orAppendix A.3). Since we only focus on the PUF primitive, PUF-based protocols whichcan prevent the reliability-based CMA-ES attack are out of the scope of this paper. Forexample the Lockdown protocol in [YHD+16] is one of good candidates. However, theiPUF design we propose is more lightweight and simpler than Lockdown protocol becauseit does not require many hardware primitives such as a True Random Number Generator,counters etc (see [YHD+16]).

3 The Arbiter PUF and Interpose PUFIn this section, we briefly introduce the analytical delay model [Lim04] and the reliabilitymodel [DV13] of the APUF. We also discuss the basic design of the newly proposed(x, y)-iPUF. Descriptions of both designs are necessary to understand the effectiveness ofML attacks on PUFs in Section 4. The reader can find the detailed description of APUFand XOR APUF in Appendix A.1.

3.1 The APUF Linear Additive Delay Model

In [Lim04, LLG+05], an analytical model called the Linear Additive Delay Model waspresented. As shown in [Lim04], the linear additive delay model of an APUF has the form:

∆ = w[0]Ψ[0] + · · ·+ w[i]Ψ[i] + · · ·+ w[n]Ψ[n] = 〈w,Ψ〉, (1)

where n is the number of challenge bits, w and Ψ are known as weight and parity (orfeature) vectors, respectively. The parity vector Ψ is derived from the challenge c as

3Reliability information can be regarded as a type of ‘side-channel’ information which is extractedfrom CRPs alone without the use of extraneous equipment, whereas additional equipment is needed inpower side-channel analysis etc. [RXS+14, TDF+14, TLG+15]. In this paper security is argued in anadversarial model where the attacker only has access to CRPs.


Attacks

c = (c[0], . . . , c[i], . . . , c[n− 1])

(c[0], . . . , c[i], rx, c[i+ 1] . . . , c[n− 1])

rx

y-XOR APUF

x-XOR APUF

r

Figure 1: The (x, y)-iPUF (Interpose PUF) is comprised of an x-XOR APUF whose outputrx is interposed between c[i] and c[i+ 1] in the input of a y-XOR APUF.

follows:

Ψ[n] = 1, and Ψ[i] =n−1∏j=i

(1− 2c[j]), i = 0, . . . , n− 1. (2)

In this delay model, the unknown weight vector w depends on the process variationof the APUF instance (i.e. of a specifically manufactured APUF). The response to achallenge c is defined as: r = 0 if ∆ ≥ 0. Otherwise, r = 1.

3.2 The Arbiter PUF Reliability ModelDue to noise, the reproducibility or reliability of the output of a PUF is not perfect, i.e.,applying the same challenge to a PUF will not produce a response bit with the same valueevery time. The repeatability is the short-term reliability of a PUF in presence of CMOSnoise, and it is not the long-term device aging effect [DV13].

In an APUF we can measure the (short-term) reliability R (i.e., repeatability) for aspecific challenge c in the following way: Assume that the challenge c is evaluated Mtimes, and suppose the measured responses that are equal to 1 is N out of M evaluations.The reliability is defined as R = N/M ∈ [0, 1].

In Eq. (1) we showed the mathematical relationship between the parity vector Ψ andthe corresponding response ∆. Similarly, there exists a mathematical relationship betweenthe reliability R of a given challenge and its response ∆ as shown in [DV13]:

∆/σN =n∑i=0

(w[i]/σN )Ψ[i] = −Φ−1(R) (3)

where the noise follows a normal distribution N (0, σN ) and Φ(·) is the cumulative distri-bution function of the standard normal distribution. In the case where R ∈ [0.1, 0.9] afurther approximation [DV13] can be made:

∆/σN ≈ R. (4)

3.3 The iPUF DesignA (x, y)-iPUF consists of two layers. The upper layer is an n-bit x-XOR APUF and thelower layer is an (n+ 1)-bit y-XOR APUF. We denote the input to the x-XOR APUF ascx = (c[0], . . . , c[i], c[i+1], . . . , c[n−1]). The response rx of the x-XOR APUF is interposedin cx to create a new n+ 1 bit challenge cy = (c[0], . . . , c[i], rx, c[i+ 1], . . . , c[n− 1]). Thefinal response bit is the response ry of the y-XOR APUF with respect to the new challengecy. The structure of the (x, y)-iPUF is shown in Figure 1.

When creating an n-bit (x, y)-iPUF four important parameters determine its securityagainst ML attacks. The four parameters are n which represents the length of the iPUF’s


challenge, x which represents the number of APUFs in the upper layer XOR APUF, ywhich represents the number of APUFs in the lower layer XOR APUF, and the placewhere the response of the upper layer rx is interposed in the input challenge for the lowerlayer y-XOR APUF. In the next two sections, we will go over more details related to theML attacks on PUFs including the (x, y)-iPUF. Based on this knowledge, we explain howto properly choose the design parameters for the (x, y)-iPUF in Section 6.5 to secure itagainst various ML attacks.

3.4 iPUF Security PhilosophyThe iPUF design parameters are chosen based on certain machine learning attacks. Inthis section, we explain why we use certain specific attacks to dictate the choice of iPUFparameters instead of others. In Section 6 we will prove the (x, y)-iPUF is secure againstreliability based CMA-ES attacks, so we only focus our design choices here based onclassical machine learning attacks. Our explanation of design choices also requires us todevelop a hierarchy to rank some of the classical machine learning attacks. In this manner,we can show that the iPUF can defend against the strongest classical attack.

Theorem 1. For any given x-XOR APUF, the Logistic Regression (LR) attack is themost powerful attack among three classical machine learning attacks: the LR attack, theCRP-based CMA-ES attack and the Deep Neural Network (DNN) attack.

Proof. We note that the following comparison is only valid for XOR APUFs, and later wewill link these comparison results to the security of iPUFs. The comparison is based onthe following facts.

1. Fact 1. We can accurately describe the behavior of an XOR APUF using a mathe-matical model [Söl09, RSS+10].

2. Fact 2. The formulation of the LR attack exploits a-priori knowledge of the XORstructure in the XOR APUF, i.e., the mathematical model of the XOR APUF.The model used in the LR attack perfectly captures the structure of the XORAPUF [Söl09, RSS+10]. Moreover, LR is a gradient-based optimization methodology,i.e., for finding the true model, the gradient is based on a training dataset and themodel is updated in each iteration. The gradient information will give the mostoptimal updated direction to guide the current model to the true model in eachiteration. The reader is referred to [Sch16] for more details.

3. Fact 3. The CRP-based CMA-ES attack is a gradient free optimization methodol-ogy [Han16] and it uses the mathematical model of XOR APUF. In each iteration,it randomly generates a population of models based on the current model and thenkeeps only some best matching models among these models (see [Han16] or Section 4.1for more details). The current model will be updated based on the information fromthese chosen models. Therefore, CRP-based CMA-ES only gives a heuristic updateddirection to take the current model to the true model in each iteration. Therefore,CRP-based CMA-ES is not as efficient as LR (i.e., LR has the most optimal updateddirection in each iteration as described in Fact 2). We also perform this attack oniPUF and XOR APUF in Section 6.3.

4. Fact 4. The deep neural network algorithm is a black box optimization methodol-ogy [GBC16], i.e., it does not use the mathematical model of XOR APUF. This isthe main disadvantage compared to LR. Note that LR attack on XOR APUF takesthe advantage of the mathematical model of XOR APUF (see Fact 2). Therefore LRdoes not have to optimize as many parameters as a DNN to model a PUF. In otherwords, the LR attack is more efficient than the DNN attack.


Attacks

We formalize the result in the following inequalities of attacking efficiency.

CMA-ES < Logistic Regression. (5)

Deep Neural Network < Logistic Regression. (6)

Our experimental results in Table 3 also confirm our arguments above. Hence, the mostpowerful classical attack on XOR APUF is LR. However the LR attack is not applicableon iPUF as we will show in Section 6.5. Therefore we have to show the resiliency ofthe iPUF against the DNN attack and the CRP-based CMA-ES attack. To the bestof our knowledge, there is no theory which can give a lower bound on the requirednumber of CRPs for training a machine learning model to learn an XOR APUF with agiven prediction accuracy using CRP-based CMA-ES, the DNN attack, or LR. Since thestructure of iPUF is only slightly different from the structure of XOR APUF, we do nothave such theory for iPUF either.

The x-XOR PUF has one theory which states that the number of CRPs required forthe LR algorithm exponentially increases when x increases [Söl09]. Moreover, this theorywas confirmed by experiments in [TB15] and the empirical lower bounds for the numberof CPRs required for the LR algorithm is presented in [TB15].

Fortunately, we can come up with an “approximate” theory to choose the iPUFparameters based on the following information. First we know from the above attackcomparison, LR is the strongest classical attack on an XOR APUF. We also know theXOR APUF’s state-of-the-art empirical lower bound of the number CRPs to make theattack work [TB15]. Second we know the security of the iPUF can be related to thesecurity of XOR APUF (which we formally develop in Theorem 4). The result in brief isthat the (x, y)-iPUF with i = n/2 is equivalent to (y + x

2 )-XOR APUF (see Theorem 4).Based on the two pieces of information above, we can conclude that if a (y + x

2 )-XORAPUF can be secure against LR, then the (x, y)-iPUF with i = n/2 can be secure againstDNN attacks and CRP-based CMA-ES attacks as well. The literature has shown thata 64-bit 10-XOR APUF is secure against LR attack [TB15]. Based on that design wesuggest using challenge length n = 64, (1,10)-iPUF with interpose bit in themiddle i = n/2 = 32 as a set of practical design parameters.

4 Reliability Based ML AttacksConceptually, instead of using CRPs like in Classical ML (CML) attacks, the repeatability(i.e. short-term reliability) of APUF outputs can be used to build an APUF model basedon a set of challenge-reliability (not response) pairs. The relationship between reliability, Rand the weights w of an APUF were shown in Eq. (3) and Eq. (4). In [DV13] a Reliabilitybased ML (RML) attack was done under the assumption that R ∈ [0.1, 0.9]. Based on thisassumption a system of linear equations was established using Eq. (4) so that w[i]/σNcould be solved for by using the Least Mean Square algorithm. This approach only appliesto the APUF, and not the XOR APUF and by extension it also does not apply to theiPUF. However, RML attacks can be done without assumptions about the range of R, aswe will explain in Section 4.1. Section 4.2 presents the enhanced version of this attackon APUF and XOR APUF. In Section 4.3 we show how to model the iPUF as a linearapproximation (LA) of an XOR APUF. This can be used to analyze to what extent theCML and RML attacks on the XOR APUF apply to the iPUF.


4.1 Reliability Based CMA-ESIn [Bec14, Bec15] an ML attack on APUFs was developed using CMA-ES with reliabilityinformation obtained from the repeated measurements of CRPs. More precisely, thereliability information R of a challenge c (i.e. (c, R)) is used in the attack instead of thecorresponding response r (i.e. (c, r)).

The rationale behind this attack is as follows: if the delay difference |∆| between thetwo competing paths in an APUF for a given challenge c is smaller than a threshold ε,then the corresponding response r would be unreliable in the presence of noise; otherwisethe response would be reliable. This implies that reliability information directly leaksinformation about the “wire delays” in an APUF model. Let ri be the i-th measuredresponse of challenge c for i = 1, . . . ,M . Two different definitions of R, as provided inEq. (7) and Eq. (8), are found in [DV13] and [Bec15], respectively:

R = 1M

M∑i=1

ri, (7)

R = |M/2−M∑i=1

ri|. (8)

Note similar to Eq. (7) and Eq. (8), repeatability for an APUF was defined as R =N/M ∈ [0, 1] (see Section 3.2). The objective of CMA-ES is to learn weights w =(w[0], . . . ,w[n]) together with a threshold value ε. All variables w[0], . . . ,w[n] are treatedas independent and identically distributed Gaussian random variables. The attack isconducted as follows:

1. Collect N challenge-reliability pairs

Q = (c1, R1), . . . , (ci, Ri), . . . , (cN , RN ),

where Ri is computed as in Eq. (8).

2. Generate K random models:

(w1, ε1), . . . , (wj , εj), . . . , (wK , εK).

3. For each model (wj , εj) (j = 1, . . . ,K), do the following steps:

(a) For each challenge ci (i = 0, . . . , N), compute the R′i as follows:

R′i =

1, if |∆| ≥ ε0, if |∆| < ε,

(9)

where ε = εj and ∆ follows from (1) and (2) with c = ci and w = wj . Notethat for a given model wj with input ci, R′i indicates whether the output ofthe response of the model is reliable or noisy.

(b) Compute the Pearson correlation coefficient ρj based on(R1, . . . , Ri, . . . , RN ) and (R′1, . . . , R′i, . . . , R′N ),

where Ri is computed as in Eq.(8).

4. CMA-ES keeps L models (wj , εj) which have the highest Pearson correlation ρ, andthen, from these L models, another K models are generated based on the CMA-ESalgorithm.


Attacks

5. Repeat steps (3)-(4) for T iterations and model (w, ε) which has the highest Pearsoncorrelation ρ will be chosen as the desired model. Note that sometimes the chosenmodel may have low prediction accuracy and in this case we restart the algorithm tofind a model with higher prediction accuracy.

While the above pseudo-code is used to model an APUF, it can also be used to modelan x-XOR APUF. Let

Q = (c1, R1), . . . , (ci, Ri), . . . , (cN , RN )

be a set of challenge-reliability pairs of an x-XOR APUF instance. If the CMA-ESalgorithm for modeling an APUF is executed many times with the set Q, then it canproduce x different models for A0, . . . , Ax−1 with high probability [Bec15]. Although thereis no proof on how many times the CMA-ES algorithm has to be executed to get themodels of all APUF instances of the x-XOR APUF, experimentally it is observed thatthis value needs not to be large, i.e., 2x or 3x CMA-ES runs. As done in [Bec15], one canparallelize CMA-ES executions to build models for A0, . . . , Ax−1.

As explained above, the modeling of an x-XOR APUF simplifies to the modeling of xindependent APUF instances in the reliability based CMA-ES attack. This is significantbecause the relationship between x and the number of CRPs needed for the reliabilitybased CMA-ES attack is linear. As previously stated, CML attacks have an exponentialrelationship between the number of CRPs and x. Therefore increasing x is a valid wayto mitigate the CML attacks. However, the reliability based CMA-ES attack cannot bedefeated in the same manner.

4.2 Enhanced Reliability Based CMA-ES Attack On APUF and XORAPUF

In the reliability based CMA-ES attack, each model w is evaluated according to a fitnessfunction. The fitness function correlates the observed reliability R of the PUF to thereliability of the estimated model R′. Let us denote the observed reliability R in Eq. (8) byRoriginal and the model reliability R′ in Eq. (9) as R′original. The correlation between Roriginaland R′original is limited by the fact that the observed reliability Roriginal only ranges from[0,M/2], while the range of R′original is 0, 1. This is significant because the comparison ofR′original and Roriginal is not as accurate, since the two terms do not have the same range ofvalues.

We propose two alternative definitions for (Roriginal, R′original). We define (Rabsolute, R

′absolute)

and (Rcdf , R′cdf), as follows:

Roriginal = |M/2−M∑i=1

ri| and R′original =

1, if |∆| ≥ ε0, if |∆| < ε,

(10)

Rabsolute = |M/2−M∑i=1

ri| and R′absolute = |∆| (11)

Rcdf = 1M

M∑i=1

ri and R′cdf = Φ(−∆/σN ) (12)

We hypothesize that (Rcdf , R′cdf) can create a more accurate model than (Roriginal, R′original)

when attacking an individual APUF for two reasons. First (Rcdf , R′cdf) uses the proper

reliability ranges. Second (Rcdf , R′cdf) takes into account information from two sources:

reliability information and the response information of the APUF by not using any absolutevalue operation when computing R′cdf . However, when attacking an XOR APUF, the


response of each individual APUF is not known so (Rcdf , R′cdf) does not improve the

reliability based CMA-ES attack in this case.When attacking an XOR APUF (Rabsolute, R

′absolute) outperforms (Roriginal, R

′original) be-

cause it has the proper reliability ranges. Since it does not attempt to use any responseinformation (which is not available from individual APUFs in an XOR APUF), it alsooutperforms (Rcdf , R

′cdf).

The simulated results of the enhanced attacks on APUF and XOR APUFs are presentedin Section 8.3 and Section 8.4, respectively.

4.3 Linear Approximation of the (x, y)-iPUFA technique that can be used in conjunction with CML or RML is linear approximation;this technique is specifically designed for use against the (x, y)-iPUF. We develop thetechnique based on the following observation: The difference between the input challengeto the y-XOR APUF in an (x, y)-iPUF and the input to a standard y-XOR APUF isonly one bit. Assume i + 1 is the interposed bit position for the input challenge tothe y-XOR APUF in an (x, y)-iPUF. The input to the y-XOR APUF is denoted asclow = (c[0], . . . , c[i], rx, c[i+ 1], . . . , c[n− 1]). Instead of attempting to learn the x-XORAPUF in the (x, y)-iPUF to estimate rx, we can give a fixed value for bit i + 1, i.e.c′low = (c[0], . . . , c[i], 0, c[i+ 1], . . . , c[n− 1]).

By making this approximation we can effectively ignore the x-XOR APUF component ofthe (x, y)-iPUF and treat the (x, y)-iPUF as a y-XOR APUF. Through this approximationwe can do both CML and RML attacks on the (x, y)-iPUF while still using the XOR APUFmodel. These attacks are denoted as LA-CML and LA-RML. In Section 6.4.2 we analyzeunder what conditions the linear approximation accurately approximates the (x, y)-iPUFand how this attack can be mitigated.

5 Analysis of the Reliability based CMA-ES AttackThe reliability based CMA-ES attack is a serious security issue when designing a PUF.Our goal is to create a secure PUF design (the (x, y)-iPUF) that prevents this attack. Todo this, it is necessary to understand under what conditions the reliability based CMA-ESattack works. In this section, we consider the following questions for an in-depth analysisof the reliability based CMA-ES attack:

1. In [Bec15] it is noted that CMA-ES converges more often to some APUF instancesthan others when modeling the components of an x-XOR APUF. Essentially thismeans some APUFs in an x-XOR APUF are easier and some are harder to modelusing the given challenge-reliability pairs. Why does this happen?

2. What are the conditions such that CMA-ES never converges to a particular APUFinstance? In other words, under which condition does the reliability based CMA-ESattack fail?

The first question was posed in [Bec15] without any theoretical answer and the secondquestion has not been investigated in literature. The next experiments are aimed atanswering these questions. Based on the knowledge gained from these experiments, wedevelop the (x, y)-iPUF that is secure against the reliability based CMA-ES attack as wellas the other known classical machine learning attacks mentioned in Section 2.

5.1 Experiment-I: Understanding CMA-ES ConvergenceThe objective of this experiment is to analyze why some APUF instances are easier andsome are harder to model using reliability based CMA-ES. More specifically, we want to


Attacks

Table 1: Relationship between the APUF model converged to by CMA-ES and the APUF’sdata set noise rate proportion in each data set Q

Rank n = 1 n = 2 n = 3 n = 4 n = 5 n = 6 n = 7 n = 8 n = 9 n = 10 FailedOccurrence 36% 5% 9% 5% 12% 7% 7% 5% 7% 5% 2%

Rank: APUF model had the n-th highest data set noise proportion in the data set.Failed: Failed to converge to any APUF model.Occurrence: Percentage of time a convergence occurred.

verify whether the probability of converging to an APUF model in CMA-ES is correlatedwith the “data set noise proportion” of that APUF instance present in a given data set Q.Here we define the data set noise proportion for a particular APUF in an x-XOR APUFas the number of noisy (unreliable) CRPs Qn due to the specified APUF divided by thenumber of total CRPs in Q. We define the noise rate β of a given PUF as follows. Let rc,1and rc,2 be the values of the first and the second measurements of the PUF for a givenchallenge c, respectively. The noise rate β of the PUF is equal to Prc(rc,1 6= rc,2), i.e.,β = Prc(rc,1 6= rc,2).

Every time we generate a new set Q, the challenge-reliability pairs (ci, Ri) of Q canbe divided into two parts. The first part is made up of the reliable challenge-reliability pairsQr and the second part is made up of the noisy challenge-reliability pairs Qn. Each APUFinstance Ai has its own set of noisy challenge-reliability pairs Qi,n ⊂ Qn, i = 0, . . . , x− 1.

Theorem 2. For a given dataset Q, the CMA-ES algorithm is more likely to converge tothe APUF instance which has the largest number of pairs in the combined set Qr ∪Qi,n,i.e., highest Pearson correlation, where Qr is the reliable CRPs and Qi,n is the noisy CRPsfor APUF instance i.

Proof. Since Qr is useful for modeling all the APUF instances, the set Qi,n should be largeto make the Qr∪Qi,n sufficiently large enough for modeling the i-th APUF instance. FromStep-4 of the reliability based CMA-ES attack in Section 4.1, it is obvious that CMA-EStries to converge to the APUF instance that has the largest value for |Qi,n|/|Q|.

To verify Theorem 2, we do the following experiment.

Experimental Setup: We run the CMA-ES algorithm 100 times on a 10-XOR APUFin simulation. Each time we run CMA-ES we use a new randomly generated dataset Qwhich contains 70 × 103 CRPs. The noise rate of each individual APUF is 20%. Notethat the 20% noise rate is chosen to be intentionally large to make the number of usedCRPs small, i.e., the bigger the noise of each APUF, the less number of CRPs requiredfor the reliability-based attack. This is by no means the only possible noise rate that couldwork, but we only use this noise rate here to illustrate the results of the experiment. Itis important to note that while the noise rate of each APUF is the same, the data setnoise proportion of each APUF in Q will change each time we generate a new Q. Foreach Q, we generate the challenge-reliability pairs for Q by measuring the response toeach challenge 11 times. Note the repeated measurement 11 is chosen heuristically herebased on two criteria. The repeated measurement must be large enough to capture thereliability information with an acceptable precision, but not too large that the repeatedmeasurement time significantly slows down the experiment run time.

Experimental Results: The results of experiment I are summarized in Table 1. Ineach run of CMA-ES, a model w is generated. We classify the model in the followingway: if the model w matches one of the APUF models with probability ≥ 0.9 or ≤ 0.1(the complement model), then we accept it as a correct model for that particular APUFinstance. If the generated model w does not match any of the APUF models we considerthe CMA-ES algorithm to have failed to correctly converge. Note that w can match withat most one APUF instance. This is because if the model w corresponds to a particular


APUF instance, then only that instance will have a matching probability ≥ 0.9 or ≤ 0.1,and the other APUF instances will have a matching probability around 0.5. This is due tothe good uniqueness property of simulated APUF instances. Note that in Experiments Iand II we are not a true adversary, i.e., we are a verifier regarding the reliability basedCMA-ES attack on the x-XOR PUF as described in [Bec15]. In other words, we know allAPUF instances and check whether a model produced by the CMA-ES algorithm is a correctmodel for one of them. The audience is referred to [Bec15] for the detailed description ofa real attack.

For the given Q, we measure the data set noise proportion of each APUF with respectto the challenges present in Q. If CMA-ES converges to the APUF model with the highestdata set noise proportion in the current Q, we increment the count in column one. IfCMA-ES converges to the APUF model with the second highest data set noise proportionin the current Q, we increment the count in column two and so on. If the CMA-ESalgorithm generates a model that corresponds to none of the APUFs then we say it failedto converge to any model.

Analysis of Results: The APUF with the highest data set noise rate proportion in Qshould have the highest Pearson correlation coefficient as explained in Theorem 2 andtherefore be the global maximum. However CMA-ES does not guarantee convergence tothe global maximum. When CMA-ES converges to a local maximum, it produces anotherone of the valid APUF models, or an invalid model. For this reason we can see in Table 1that we can converge to a PUF model that does not have the highest noise proportionwith small probability compared to the highest case, i.e.,

5100 ,

7100 ,

9100 ,

12100

36100 .

Overall every time we generate Q, the PUF with the highest noise proportion in Q willhave a high probability of being found by CMA-ES (i.e., 36/100). Likewise, the PUFs witha smaller noise proportion in Q will have a smaller probability of being found.

5.2 Experiment-II: CMA-ES Reliability ConditionsThe objective of this experiment is to understand under which condition the reliabilitybased CMA-ES attack fails to build a model for a particular APUF in an x-XOR APUF.From experiment I we know that CMA-ES is most likely to converge to the APUF modelwhich has the highest data set noise proportion in Q. We want to show that if the noiserate of the APUF instances in the x-XOR APUF’s output are not equal (i.e., drawn fromdifferent distributions), then some APUF models cannot be generated by CMA-ES.

Experimental Setup: We simulate a 2-XOR APUF consisting of two APUF instances,denoted as A0 and A1. The noise rate of both APUFs are set at 1%. We run CMA-ES onthe 2-XOR APUF 100 times. In each run of CMA-ES we generate a Q of size 70× 103,where in Q each challenge is evaluated 11 times to generate the reliability information.

In this experiment we hypothesize that CMA-ES fails to build a certain APUF modelwhen that model always has a lower noise rate (and therefore a lower data set noiseproportion in Q). To do this we manipulate the reliability information presented in thefinal output, such that A0 always has lower data set noise proportion. This is achieved byapplying majority voting to the responses of A0 before XOR-ing it with the response ofA1. In majority voting, we have experimented with M = 5 and M = 10 votes to observethe performance of CMA-ES. We note that the noise rate in this experiment (i.e., 1%) isnot related to the noise rate in Experiment-I (i.e., 20%). Here, we intentionally choosea small noise rate to demonstrate two things. First even if the noise rate of the APUFsare extremely small, the CMA-ES attack still works. Second even if there is a sufficientlysmall discrepancy in the noise rates between two APUFs, CMA-ES will converge to the


Attacks

Table 2: Results of Experiment-IIM† Number of times A0 found Number of times A1 found5 8 9210 0 ‡ 99 ‡

† No. of measurements used in the majority voting of A0.‡ The sum of the two counts is not equal to 100 because one attack failed.

APUF model which is the nosiest. The numbers 5 and 10 for majority voting and 11 forreliability evaluation are chosen arbitrarily. While other values are possible here, we justuse one set of values to illustrate the results of our experiment.

Theorem 3. In a 2-XOR APUF, if one APUF instance is sufficiently more reliable thanthe other, then the CMA-ES fails to converge to the APUF which has lower noise rate.

Proof. We will prove the Theorem above using the experimental setup we described in thebeginning of Section 5.2. If the number of votes M is sufficiently large, then the outputof A0 is always more reliable than that of A1 due to the existing majority voting at theoutput of A0. This implies that |Q0,n|/|Q| |Q1,n|/|Q| for any given Q where Qi,n isthe set of noisy challenge-reliability pairs of Ai, i = 0, 1. For a given data set Q, as statedin Theorem 2, CMA-ES tends to converge to the model with the highest data set noiseproportion with high probability. Hence, CMA-ES always converges to A1 when M issufficiently large.Experimental Results: The experimental results are shown in Table 2. The first columncorresponds to the number of times the output was measured on A0 before majority votingwas done. The second and the third columns refer to the number of times the correctmodel was found by CMA-ES for A0 and A1, respectively.

Analysis of Results: From Table 2, it is clear that if M is sufficiently large (M ≥ 10),then the reliability based CMA-ES attack cannot build a model for A0. This is becausewe decreased the noise rate of A0 by applying majority voting. Since A0 is less noisy, itwill have a lower data set noise proportion in Q. As we established in the first experiment,CMA-ES tends to converge to the model with the highest data set noise proportion withhigh probability. In Table 2 we can clearly see this happening when M = 10, as CMA-ESis never able to build a model for A0 (the APUF with the lower data set noise proportion).

It is important to also note that just because the APUFs have different noise rates, itdoes not make the XOR APUF secure against the reliability based CMA-ES attack. Inthe setup described in this experiment, an attacker could simply learn a model for A1.Once the model for A1 has been learned the attacker could then use that model to removemost of the noisy challenge-reliability pairs corresponding to A1 from Q. Doing this wouldcreate a new dataset Qreduced from Q in which A0 would have the highest data set noiseproportion. The attacker could then run CMA-ES on Qreduced to get a model for A0.

5.3 Inferences from the ExperimentsTwo important points can be understood from the experiments in this section. In order forthe reliability based CMA-ES attack to be successful the following conditions must be met:

1. All APUF instances outputs must have the same influence on the final output of thePUF.

2. The noise rate of all APUF instances should be similar.

In the next section, we leverage the knowledge from these experiments to show howthe proposed iPUF can be secured against the reliability based CMA-ES attack.


6 Security Analysis of iPUF against Machine Learning At-tacks

In this section, we analyze the security and reliability of the proposed (x, y)-iPUF design.Starting in Section 6.1 we discuss our basic conjecture to reason about the security of theiPUF design. In Section 6.2 we begin our security analysis by first showing how a singlechallenge bit in an APUF effects its output r. We then develop a relationship between thesecurity of the (x, y)-iPUF and x-XOR APUF in Section 6.3. We then use the analysis fromSection 6.2 to determine the most secure position for the interposed bit in a (1, 1)-iPUF inSection 6.4.2. Since the iPUF is developed to prevent the reliability-based ML attacks, weneed to study the reliability of the (1, 1)-iPUF as shown in Section 6.4.1. After that, weexplain why iPUF’s design can prevent reliability-based ML attacks. While the (1, 1)-iPUFcan prevent reliability-based ML attacks, properly choosing the interposed bit positionalone is not enough. The (1, 1)-iPUF still suffers from classical machine learning, LA-CMLand LA-RML attacks (see Section 4.3). Therefore, in Section 6.5 we expand our analysisto the (x, y)-iPUF where x ≥ 1 and y > 1. By using a middle interposed bit and properlychoosing x and y ≥ 2 we are able to show that the (x, y)-iPUF is secure against all currentstate-of-the-art ML attacks. Based on our analysis we claim properly designed iPUFs aresuperior to XOR APUFs in terms of security, reliability and hardware overhead.

6.1 Security Conjecture and Design Philosophy of iPUFSecurity Conjecture. Our basic security conjecture is “if x is sufficiently large, thenan x-XOR APUF is practically secure against all known classical ML attacks” as statedin the literature [Söl09, RSS+10, TB15] (this is not an NP-hard problem). We showthat the (x, y)-iPUF is equivalent to the (x/2 + y)-XOR APUF, (see Definition 2 forthe definition of equivalence), so it inherits the same classical ML security. Furthermorethe iPUF can prevent the reliability-based CMA-ES attack which the XOR APUF isvulnerable to. For PUF research, the XOR APUF w.r.t. classical ML is similar to AES(Advanced Encryption Standard) block cipher in the sense that it is considered a hardproblem by itself [Söl09, RSS+10, TB15], i.e., the security of AES is not reduced to anyintractable problem [DR02]. Indeed, we can show that among all known classical MLattacks on XOR APUF, LR attack is the most powerful attack (see Theorem 1) because itis a gradient-based optimization method and it uses a mathematical model of the XORAPUF. In other words, it uses the information about the XOR APUF (the XOR APUFmathematical model) in the most efficient way. No non-repeated measurement ML attackcan match LR. Moreover, the LR attack on XOR APUFs has a full theory developed on therelationship between the modeling accuracy and modeling complexity [Söl09]. This theoryis strongly supported with empirical results [TB15]. In summary, we deeply understandthe resistance of XOR APUF against all known machine learning attacks.

Design Philosophy. Our design philosophy is as follows: We propose that it is possibleto construct a strong PUF whose security can be reduced to an intractable problem(classical ML on XOR APUF). This practice of basing PUF security on its reductionto an intractable problem is not unique to this paper. For example the LPN-basedPUF [HRvD+17, JHR+17] uses this exact same formulation and reduces its security to awell-known computational hardness assumption: learning parity with noise (LPN). Notethat the large matrix operations in LPN-based PUF has an extremely large hardwarefootprint making it not lightweight and hence not a solution to the fundamental PUFproblem considered in this paper. To develop a lightweight and secure strong PUF, weadopt another approach. We use broken but lightweight and reliable PUF primitives(i.e., APUF) to develop a secure, lightweight and reliable PUF design (i.e., iPUF) whichcan be shown to be equal to some hard problems (classical ML on an XOR APUF). We


Attacks

consider this approach as a practical and proper methodology to develop a lightweight andsecure strong PUF. To re-iterate, this process is commonly accepted in the cryptographycommunity to develop cryptographic primitives such as block ciphers, stream ciphers andhash functions. In all these cryptographic primitives the secure designs are built on insecurecomponents such as s-box, non linear shift register, etc [DR02, MOV96]. Moreover, themathematical model of the APUF is fully developed and the iPUF is a simple compositeAPUF design. Hence, a full mathematical model of the iPUF can be developed for analysispurpose. This point is significantly important, because we can do a clean security analysisas we will show in the rest of the paper. In summary, we use APUF as a building block ofiPUF because it is a lightweight, reliable strong PUF with a clean mathematical model foranalysis purpose. Our iPUF design is also significantly simple. Hence, it also offers a cleanframework for conducting security analysis.

6.2 Influence of Challenge Bit c[j] on the Response r in the APUFThe influence of a challenge bit on an APUF’s response depends on its position inthe challenge c [MKP09, DGSV14, NSCM16]. From Eq. (1), it can be observed thatΨ[j+ 1], . . . ,Ψ[n− 1] does not depend on challenge bit c[j]. For a given challenge c, basedon the linear delay model of the APUF, the delay difference ∆ can be described as:

∆ = (1− 2c[j])×∆Flipping + ∆Non−Flipping (13)

where ∆Flipping is the term affected by the flipping of bit c[j] and is given by ∆Flipping =∑ji=0 w[i] Ψ[i]

(1−2c[j]) . Likewise, the term that is not dependent on the flipping of c[j] isdenoted as ∆Non−Flipping =

∑ni=j+1 w[i]Ψ[i].

If c[j] = 0 then ∆ = ∆Flipping + ∆Non−Flipping and we will denote this ∆ as ∆c[j]=0with corresponding response rc[j]=0. Similarly when c[j] = 1 we will have ∆ = −∆Flipping+∆Non−Flipping. We denote this ∆ as ∆c[j]=1 and the response as rc[j]=1.

We want to know the influence of flipping c[j] on output r. We measure this influenceby computing the probability that the output remains the same if we flip bit c[j] whilekeeping the rest of c constant:

Prc(rc[j]=0 = rc[j]=1). (14)

In Appendix A.2, we explain:

Prc(rc[j]=0 = rc[j]=1) ≈ (n− j)n

, j = 0, . . . , n− 1 (15)

This implies that an expected probability Prc(rc[j]=0 = rc[j]=1) decreases with in-creasing value of j, so the influence of each challenge bit is not equal. This undesirablesecurity property means we must carefully consider the position of the interposed bit.In the next section we analyze how the interposed bit position effects the security andreliability of the (1, 1)-iPUF. We note that the influence of individual challenge bitson the response is highly related to the SAC (Strict Avalanche Criterion) introducedin [MKP09, DGSV14, NSCM16], and the SAC property of iPUF will be further explainedand analyzed in Section 7.2.

6.3 The Relationship between (x, y)-iPUF and (x + y)-XOR APUFFor a fixed challenge we study the contribution of each APUF component of an APUF-based PUF (i.e. XOR APUF or iPUF) to its output. Here we define contribution in thefollowing manner.


Definition 1. [Contribution] For a given challenge c, if the output of an APUF Ai flips(while the rest of the APUF outputs are held constant) and this causes the final responseof the APUF-based PUF r to flip, then we say that Ai contributes to the output for thechallenge c.

In an x-XOR APUF it can clearly be seen that each of the x APUFs contribute to theoutput. This is because in an XOR gate flipping any one of the inputs always causes theoutput to flip. We know the more APUFs that contribute to the output, the harder theXOR APUF design is to attack with classical machine learning.

Definition 2. [Equivalence] For a given challenge c, if an APUF-based PUF has mAPUFs contributing to the final response, then we say that this PUF is equivalent to anm-XOR APUF for the challenge c.

Theorem 4. If the interposed bit position is i, then averaged over all possible challengesc the n-bit (x, y)-iPUF is equivalent to the n-bit (y + prx)-XOR APUF where

pr = 1− (1− 2p)y

2 and p = i

n.

Proof. We denote r0y as the output of the iPUF when rx = 0 with cy = (c[0], . . . , c[i], rx =

0, c[i + 1], . . . , c[n − 1]) and r1y as the output of the iPUF when rx = 1 with cy =

(c[0], . . . , c[i], rx = 1, c[i+ 1], . . . , c[n− 1]). Based on our definition of contribution above,if r0

y = r1y it means that the x-XOR APUF output rx does not contribute to the final

output ry of the iPUF. In this case only y APUFs contribute to the output of the iPUF.Note we can also write r0

y = r1y as r1

y ⊕ r0y = 0. Alternatively if r1

y ⊕ r0y = 1 then the output

of (x, y)-iPUF depends on the output rx of x-XOR PUF, as well as the output ry of they-XOR PUF. This implies that there are (x + y) APUFs which contribute to the finaloutput ry for a given challenge. Therefore, the challenge-response space of an (x, y)-iPUFcan be partitioned into two groups. The first group represents challenge-response pairswhere the response only depends on the y APUFs of the y-XOR PUF. The second groupof challenge-response pairs has responses which depend on both the x-XOR APUF andthe y-XOR APUF (the response depends on a total of (x+ y) APUFs). Now we calculatethe expected number of challenge-response pairs in each group. First, we will compute theprobability the challenge-response pair is in the second group:

pr = Prc(r0y 6= r1

y) = Prc(r0y ⊕ r1

y = 1) (16)

Let rlow,0, rlow,1, . . . , rlow,y−1 be the outputs of the y APUFs in the lower layer y-XORPUF when rx is 0. We will assume ideal classical machine learning conditions whereno measurement noise is present. Because there is no measurement noise, Section 6.2is applicable: For a given challenge c, rlow,i depends on the upper layer output rx (inthat output rlow,i would flip if rx would be substituted by 1) with probability p =(i+ 1)/(n+ 1) ≈ i/n if the feedback position of rx is i. For a given challenge c, pr is theprobability that the response of (x, y)-iPUF is equal to r = 1⊕ rlow,0 ⊕ . . .⊕ rlow,y−1 if rxwould be substituted by 1. Then pr depends on i:

pr =y∑

k=1,k odd

(y

k

)pk(1− p)y−k = 1− (1− 2p)y

2 . (17)

4

4For any given a and b, we have:

(a+ b)x − /+ (a− b)x = 2x∑

j=0,j is odd/ even

(xj

)ajbx−j .

Hence, replacing a = 1− p and b = p yields Eq.(17).


Attacks

0.5

0.6

0.7

0.8

0.9

1

1-XP

2-XP

3-XP

4-XP

5-XP

6-XP

(1,5)

-IP

(2,4)

-IP

(3,3)

-IP

(4,2)

-IP

(5,1)

-IP

Pred

ictio

n A

ccur

acy

Figure 2: Prediction accuracy of CRPs based CMA-ES attack on 64-bit APUF (1-XP),64-bit 2,3,4,5,6-XOR APUF (y-XP) and (1,5), (2,4), (3,3), (4,2), (5,1)-iPUF ((x,y)-IP).

Thus, a fraction 1− pr of challenge-response pairs is in the first group and a fraction prof challenge-response pairs is in the second group. For a given (x, y)-iPUF with parameteri, the expected number of APUFs contributing to the response of a given challenge is

= (1− pr)y + pr(x+ y) (18)= y + prx

Simulation Validation. Through simulation we compare the (x, y)-iPUF and the (x+y)-XOR APUF. Since we only focus on the design, we consider reliable PUFs to experimentallydemonstrate Eq. (18), i.e. If the interposed bit position is in the middle, then the (x, y)-iPUF is equivalent to a (y + x

2 )-XOR APUF (see Theorem 4). We run the CRPs-basedCMA-ES attack on 64-bit APUF (a.k.a 1-XOR APUF or 1-XP), 64-bit 2,3,4,5,6-XORAPUF (y-XP) and (1,5), (2,4), (3,3), (4,2), (5,1)-iPUF ((x,y)-IP) with 200,000 CRPs fortraining. In each attack the CMA-ES algorithm is run for 1000 iterations. The results areshown in Fig 2. For each PUF, we attack it 10 times. The prediction accuracy of eachattack is computed using 2000 CRPs. Fig 2 shows that the experimental results closelymatch the theory presented in Eq. (18). Note that the prediction accuracy of (5,1)-iPUFis higher than that of 3-XOR APUF or 4-XOR APUF, because when the lower layer onlyhas one APUF, the linear approximation attack becomes effective. Here the attacker onlyneeds to model the APUF in the lower layer accurately, after which the upper bound onthe accuracy for the linear approximation attack on (x, 1)-iPUF can be achieved, which is75% accuracy. A detailed analysis of the linear approximation attack will be provided inSection 6.4.2.

6.4 Security and Reliability Analysis of the (1,1)-iPUFThe most basic form of the (x, y)-iPUF is the (1, 1)-iPUF, with the upper layer consistingof a single APUF Aup and the lower layer consists of a single APUF Alow. Let us denotethe responses to Aup and Alow by rup and rlow, respectively. The final output of the(1, 1)-iPUF is the response rlow. Based on the (1, 1)-iPUF structure we analyze where to


interpose the bit in the lower APUF and how this affects the reliability and security of the(1, 1)-iPUF.

6.4.1 Reliability of the (1,1)-iPUF

In order to determine the effect of measurement noise in the (1, 1)-iPUF, we evaluate achallenge c twice. Let us denote rup,0 as the response of the upper APUF and rlow,0 as theresponse of the lower APUF the first time the challenge is applied. Likewise, let us denoterup,1 and rlow,1 as the APUF’s responses the second time the challenge is evaluated.

Assume APUF Aup has noise rate βup such that Prc(rup,0 6= rup,1) = βup. Similarly,assume that APUF Alow has noise rate βlow such that Prc(rlow,0 6= rlow,1|rup,0 = rup,1) =βlow.

Let us denote i+ 1 as the interposed bit position for rup in the (n+ 1)-bit challengeof Alow. If the flipping of the output of Aup flips the output of Alow and Alow is itselfreliable, then the output of Alow should be flipped. This event occurs with probability(1 − βlow) i+1

n+1 . If the flipping of the output of Aup does not flip of the output of Alowand Alow is itself noisy, then the output of Alow flips. This event occurs with probabilityβlow

(1− i+1

n+1

). Therefore, the event where flipping the output of Aup flips the output of

Alow occurs with the following probability

Prc(rlow,0 6= rlow,1|rup,0 6= rup,1) = (1− βlow) i+ 1n+ 1 + βlow

(1− i+ 1

n+ 1

).

We use the equality above and Eq. (15) to derive

Prc(rlow,0 6= rlow,1)= Prc(rlow,0 6= rlow,1|rup,0 = rup,1)Prc(rup,0 = rup,1) +

Prc(rlow,0 6= rlow,1|rup,0 6= rup,1)Prc(rup,0 6= rup,1)

= βlow(1− βup) + [(1− βlow) i+ 1n+ 1 + βlow

(1− i+ 1

n+ 1

)]βup

= βlow(1− βup) + [(1− 2βlow) i+ 1n+ 1 + βlow]βup. (19)

In practice βup 1 and βlow 1, thus Eq. (19) can be approximated as:

Prc(rlow,0 6= rlow,1) ≈ βlow + βupi

n(20)

From Eq. (19) and Eq. (20) it can be seen that the reliability information of Aup andAlow available at the output of (1, 1)-iPUF are not equal even when βlow = βup. If weassume βlow = βup = β then Alow contributes approximately β while Aup contributes ap-proximately β i

n . The unequal reliability contribution shown by our analysis has importantimplications of the resilience against the reliability based CMA-ES attack.

6.4.2 Security of (1, 1)-iPUF

We will now discuss the security of the (1,1)-iPUF with respect to the reliability basedCMA-ES attack (i.e. RML), CML and ML attacks that use a linear approximationtechnique (i.e. LA-CML and LA-RML).

Reliability Based CMA-ES Attack: The (1,1)-iPUF is theoretically secure againstthe CMA-ES reliability attack for two reasons if the interposed bit position for rup isproperly chosen: The first reason is based on the conditions under which the CMA-ESattack operates and the second is based on the computation done to learn the APUFmodel in CMA-ES.


Attacks

First, recall the conditions under which the reliability based CMA-ES attack worksas described in Section 5.2. In order to successfully model the APUF components Aupand Alow, each APUF must contribute equal reliability information to the output. For the(1,1)-iPUF, we showed in Eq. (20) that the contributions of Alow and Aup are not equal,i.e., β is not equal to β i

n when i is between 0 and n2 . Due to the unequal contribution of

reliability information in the output when the interposed bit position (i+ 1) is not close ton, CMA-ES will not converge to the model for Aup. We did the following experiment todetermine the importance of the interposed bit position. We launched the reliability basedCMA-ES attack on a 64-bit (1,1)-iPUF with 30,000 challenge-reliability pairs. In thisexperiment, the noise rate of each APUF was 20% (β = 0.2). The number of iterations forCMA-ES was 30,000. We repeated the attack 20 times with the interposed bit position at 0(i = 0), 32 (i = n/2) and 64 (i = n). The result shows that Aup can be modeled (i.e.,the prediction accuracy of the model of Aup is 98%) when i = n = 64. However,if the inserted position is in the middle (i = 32) or at first stage (i = 0), thenAup can not be modeled (i.e., the prediction accuracy of the model of Aup is51%).

Since we cannot first build a model for Aup we must first try to build a model for Alow.This brings us to the second reason the (1,1)-iPUF is secure against the reliability basedCMA-ES attack. Recall in Section 4.1 that ∆ is needed to compute the fitness of eachmodel w. ∆ is based on the input to Alow. However we do not know one of the input bits(the interposed bit) to Alow so we cannot compute ∆ (see the calculation of ∆ in Eq. (1)and (2)).

However, we should take a closer look at the way the computation of ∆ isdone to know how the interposed bit position affects the modeling attack onAlow. In Section 6.2, we have ∆ = (1− 2c[j])×∆Flipping + ∆Non−Flipping (see Eq.( 13))and thus, if j gets closer to 0, then ∆ and ∆Non−Flipping become similar. Strictly speaking,we cannot run CMA-ES to build a model for Alow when the interposed bit position i isNOT close to 0, for example the interposed bit position is in the range of [n/2, n].

Conclusion: We cannot model Aup due to the unequal reliability information on theoutput and we cannot model Alow due to the unknown value of the interposed bit whenthe interposed bit position is properly chosen. Therefore, we claim the (1, 1)-iPUF issecure against the reliability based CMA-ES attack when the interposed bitposition is properly chosen in the middle of the input to Alow.

Classical Machine Learning Attacks: The (1, 1)-iPUF is not secure against classicalmachine learning attacks due to its low model complexity. Instead of modeling the APUFcomponents individually, any machine learning algorithm can be used to learn the modelfor Alow and Aup simultaneously. Experiments to support our claim are given in Section 8(see Table 4). Note that, while the iPUF is vulnerable to classical derivative free machinelearning, we will prove that derivative based classical machine attacks are not possible onan iPUF in the next section. As a result, we only need to consider derivative free classicalmachine learning attacks on an iPUF.

Attacks Using Linear Approximation (LA-CML and LA-RML): The security ofthe (1, 1)-iPUF against an ML attack that use the linear approximation (see Section 4.3)depends on the choice of the interposed bit position. In this attack, any CML or RMLattack on an XOR PUF can be adapted to work on an (x, y)-iPUF. This adaptation isdone by approximating the (x, y)-iPUF as a y-XOR APUF by fixing the interposed bitfrom the x-XOR APUF to be 0. In the case of the (1, 1)-iPUF this means that we ignorethe component Aup and approximate (1, 1)-iPUF by APUF Alow.

Let us denote clow as the input to Alow and c′low to be the approximation of clowwhere we fix the interposed bit rup in clow to be 0. We can write Alow(c′low) as the outputof the linear approximation and Alow(clow) as the output of the (1, 1)-iPUF. We cannow analyze how effective the linear approximation is. We measure the effectiveness of


the approximation by computing the probability that the output of the linearized modelAlow(c′low) matches the output of Alow(clow):

papprox = Prc(Alow(c′low) = Alow(clow)) (21)

If papprox is high, then the (1, 1)-iPUF is accurately approximated by APUFAlow(c′low) and can be modeled with an ML attack.

Let us assume the following conditions for the analysis of the attack and for the sakeof explanation, we drop low from c′low or clow. We model a (x, 1)-iPUF with APUFcomponents that are 100% reliable and the output rup of the x-XOR APUF is uniform,i.e., Prc(rup = 0) = Prc(rup = 1) = 1

2 . Then,

papprox = Prc(Alow(c′) = Alow(c))= Prc (Alow(c′) = Alow(c)|rup = 0) Prc(rup = 0)

+Prc(Alow(c′) = Alow(c)|rup = 1)Prc(rup = 1)

= 1× 1/2 + n− in× 1/2 = 1/2 + n− i

2n . (22)

Eq. (22) shows that papprox decreases as i increases. Note that our discussion holdsfor any (x, 1)-iPUF and thus, it is applicable to the (1, 1)-iPUF. We model a 64-bit(1,1)-iPUF using the reliability based CMA-ES attack with the linear approximation(LA-RML). The number of challenge-reliability pairs is 30,000 and the noise rate is 20%.From the experiment, the prediction accuracy of LA-RML on a 64-bit (1,1)-iPUF wheni = 0, 32, 64 is equal to 97%, 70% and 51%, respectively. Likewise, a similar result can beachieved by using CRP based CMA-ES (classical machine learning).

A prediction accuracy of 50% is the worst a machine learning attack can do on aPUF with uniform binary output. Therefore, it would seem that picking the interposedbit position to be as high as possible would result in the most secure (x, y)-iPUF design.However, below we will explain why choosing a high interposed position is not ideal.

Interposed Bit Position: In the (1, 1)-iPUF the only design parameter we must chooseis the interposed bit position. The higher the interposed bit position, the more influenceAup has on the (1, 1)-iPUF. As a result the PUF model is more complex. It is more difficultto attack with CML attacks and the linear approximation is less accurate. However, ahigh bit position yields high noise on the output (less reliable). In addition, with a highinterposed bit position and large enough number of input bits, the (1, 1)-iPUF becomesequivalent to an XOR APUF in terms of susceptibility to RML attacks.

The conclusion from the analysis of the (1, 1)-iPUF is that using the interposed bitposition as the only security parameter is not enough to mitigate all the different MLattacks. We seek a trade-off between all the factors by choosing the interposed bit to bethe middle bit position. Based on this choice we then analyze how to modify x and y tofurther secure our design in Section 6.5.

6.5 Security Analysis of the (x, y)-iPUFThe analysis in Section 6.4.2 shows that the (1, 1)-iPUF with a middle interposed bitposition can defeat the reliability based CMA-ES attack. However the (1, 1)-iPUF is stillvulnerable to CML attacks and both types of attacks that employ the linear approximation(LA-CML and LA-RML). In this section, we show how selecting x and y can mitigatethe remaining ML attacks, and we prove that the CRP based Logistic Regression attacksare not applicable, and we show how the (x, y)-iPUF can mitigate the reliability basedCMA-ES attack (RML), CML attacks (LR, DNN, CRP-based CMA-ES), LA-CML andLA-RML, and PAC learning attacks (Boolean function based attack, DFA attack andPerceptron attack).


Attacks

Reliability based CMA-ES Attack: The security argument for the (1, 1)-iPUF inSection 6.4.2 also applies to the (x, y)-iPUF. Using challenge-reliability pairs and CMA-ES,an adversary cannot build models for the x component APUFs in the x-XOR APUF. Thisis due to the unequal contribution of noise on the output between the x-XOR APUFs andthe y-XOR APUFs (see Section 7.1 for a detailed reliability analysis). Also an adversarycannot build models for the y component APUFs in the y-XOR APUF as rx (at theinterposed bit position) is not known. Therefore, we consider the (x, y)-iPUF to be secureagainst the reliability based CMA-ES attack.

Classical Machine Learning Attacks: There is no known way the APUF componentsof the (x, y)-iPUF can be modeled individually. As a result, the only way to attack an(x, y)-iPUF is by modeling all the (x+ y) component APUFs simultaneously using classicalmachine learning, e.g., neural network or CRP based CMA-ES. Rührmair et al. [RSS+10]showed that the more APUFs that influence (contribute) to the output of an XOR APUF,the more difficult the PUF is to model using CML methods. In other words, increasingx in an x-XOR APUF can mitigate CML attacks. In Theorem 4, we prove that if theinterpose position of rx is i then the (x, y)-iPUF is equivalent to a (y + prx)-XOR APUFwhere:

pr = 1− (1− 2p)y

2 and p = i

n.

If i = n and y is odd, then pr = 1 and (x, y)-iPUF is equivalent to (x+ y)-XOR APUFin terms of security because of (x+ y) APUFs contributing to every challenge-responsepair. If i = 0, then pr = 0 and (x, y)-iPUF is equivalent to a y-XOR PUF. In terms ofdifficulty of modeling with classical machine learning methods (i.e. CRP based CMA-ES),the (x, y)-iPUF with parameter i is approximately equivalent to a (y + prx)-XOR PUF.We experimentally verify this claim in Section 8.2 (see Figures 2 and 5). As a result, wecan use the same strategy employed in the XOR APUF design [RSS+10] and increase xand y in an (x, y)-iPUF to mitigate classical machine learning attacks. It is also worthnoting the analysis to determine the number of APUFs that contribute in an iPUF can beused to derive further iPUF properties such as uniformity, uniqueness and reliability.

LA-RML. Reliability based CMA-ES applied to an (x, y)-iPUF after linearly approxi-mating it as a y-XOR APUF learns one single component APUF of the y-XOR APUF. Inthe linear approximation we substitute rx from the upper x-XOR APUF by 0 and feed0 into the lower y-XOR APUF. If we denote the single component APUF which we tryto learn using CMA-ES by Alow, then, for the challenge interposed with rx, the outputof Alow is the output of an (x, 1)-iPUF. I.e., we attempt to learn a model for Alow froma linear approximation of an (x, 1)-iPUF. From Eq.(22) with interpose bit position inthe middle we infer that the model at best predicts Alow with papprox = 75% accuracy.Reliability based CMA-ES learns models for each of the component APUFs of the lowery-XOR APUF, each with at most 75% accuracy. This shows that the maximum accuracyof the learned approximated y-XOR APUF is at most

pXORlearn =y∑

j=0,j is even

(y

j

)(1− papprox)jpy−japprox

= 1 + (2papprox − 1)y

2 = 12 + 1

2y+1 .

This shows that pXORlearn is close to 1/2 for y large enough and this implies that thelearned model for the linearly approximated y-XOR APUF does not contain predictivevalue5.

5We can compare the model’s output with the iPUF’s output and attempt to find out whether this


If y ≥ 3, then pXORlearn ≤ 56.25%. We launched the LA-RML attack on a 64-bit (3,3)-iPUF. In this experiment the noise rate for each APUF was 20%. The prediction accuracyof the final model was around 50% (confirming the theoretical upper bound) when 200,000challenge-reliability pairs were used in the training phase (see Table 4).

LA-CML. In the case of linearly approximating the (x, y)-iPUF as a y-XOR APUF andapplying classical ML, we know that learning a model for even a noise-free 64 bit y-XORAPUF is currently not practical for y ≥ 10 if LR is used and not practical for even smallery if CRP based CMA-ES is used. However, even if the iPUF itself is 100% reliable, areliable CRP of the iPUF may be a noisy CRP of the linearly approximated y-XOR APUF.By combining Eq.(15) with the derivation leading to Eq.(22), the accuracy pXORapprox of thelinearly approximated y-XOR APUF itself is given by

pXORapprox = 1× 1/2 + p′ × 1/2,

where

p′ =y∑

j=0,j is even

(y

j

)(i

n

)j (n− in

)y−j=

1 + (1− 2in )y

2 .

After substituting p′ we obtain

pXORapprox = 34 + 1

4(1− 2in

)y.

If the interposed bit is at the middle position (i.e. i = n2 ), then pXORapprox is 75%. This

implies that the noise rate of the linearly approximated y-XOR APUF given by the CRPsfrom the iPUF is 25%. For this reason CML should be even more difficult: We performedthe LA-CML attack using CRP based CMA-ES on a reliable 64-bit (3,3)-iPUF. Theprediction accuracy of the model is around 50% when 200,000 CRPs are used in thetraining phase (see Table 4).

Logistic Regression Attack on the iPUF: In the analysis of the security of the iPUFagainst classical ML attacks, we do not specifically consider the type of machine learningattack, i.e., deep neural network, Logistic Regression, or CRP based CMA-ES. We provethat the Logistic Regression attacks can at best learn a linear approximated model of theiPUF and therefore reduce to LA-RML or LA-CML.

Basically, CRP based Logistic Regression works more efficiently than CRP based CMA-ES when the searching space is large. For example, in [TB15], using Logistic Regressionwe can successfully model 4-XOR APUF with 15,000 CRPs only while using CMA-ES wecannot have a good model for 4-XOR APUF with 200,000 CRPs (see Figure 2). Hence,it is important to know if there exists any possible Logistic Regression based attacks onthe iPUF or not. We show that the answer to this question is NO by analyzing LogisticRegression (LR).

In the upper x-XOR APUF of the iPUF, since there are x n-bit APUF instances,we denote wx = (wx

1 , . . . ,wxx) as the model of the x-XOR APUF. Further we denote

wxi = (wx

i [0], . . . ,wxi [n]) as the (n+ 1) dimensional vectors and the models of the APUFs

in the x-XOR APUF, i = 1, . . . , x. Similarly, wy = (wy1 , . . . ,wy

y) is the model of they-XOR APUF of the iPUF and wy

i are (n + 2) dimensional vectors and the models ofAPUFs in the y-XOR APUF. In order to enable derivative based ML attacks, we followthe approach proposed in [RSS+10, Söl09] (this is the Logistic Regression ML attack onan x-XOR APUF), i.e. we approximate the discrete output rx and ry by a continuous

teaches something about rx. Due to the XOR in the lower y-XOR APUF, the outputs of individualcomponent APUFs are masked so that little can be learned about rx. For small y = 1, we are able tolearn some information about rx from comparing the model’s output with the iPUF’s actual output; thiscan then be used to learn about the upper x-XOR APUF.


Attacks

function sigmoid σ(·) where σ(x) = 11+exp(−x) . More precisely, we define the following

functions (here Ψ(c, rx) denotes Ψ(.) applied to challenge c interposed with rx):

∆x = gx(wx, c) =x∏i=1〈wx

i ,Ψ(c)〉,

rx = δ(∆x) = δ(gx(wx, c)),rx = δ(∆x) + e(∆x) = δ(gx(wx, c)) + e(gx(wx, c)),

∆y = gy(wy, c, rx) =y∏i=1〈wy

i ,Ψ(c, rx)〉,

ry = σ(∆y) = σ(gy(wx, c, ry)),

where δ(x) is the step function, i.e., δ(x) = 1 if x > 0, and δ(x) = 0 otherwise, and eis a certain error function chosen by the adversary. The function δ has derivative of 0everywhere except x = 0 (where the derivative is ∞) and e(x) has derivative everywhere.Since in practice ∆x is never exactly equal to 0, we may assume that the derivative of δ in∆x is always equal to 0.

In order to find the optimal solution of w = (wx,wy) (i.e. the model for the (x, y)-iPUF) from a randomly generated model w, we define the following function as describedin [RSS+10, Söl09]:

l = − 1N

∑(ci,ri),i=1,...,N

ln(σ(∆y)ri(1− σ(∆y))1−ri)

where (c1, r1), . . . , (cN , rN ) are the challenge-response pairs of the iPUF in the trainingset. After that, we need to compute the gradient of l in order to find the optimal solution,i.e., we need to compute

∇l =( ∂l

∂wx1 [0] , . . . ,

∂l

∂wx1 [n] , . . . ,

∂l

∂wxx[0] , . . . ,

∂l

∂wxx[n] ,

∂l

∂wy1 [0] , . . . ,

∂l

∂wy1 [n] , . . . ,

∂l

∂wyy[0] , . . . ,

∂l

∂wyy[n] )

After that we will update w = w− η∇l where η is the learning stepsize. By updatinglike this many times, we hope that the algorithm will converge to an optimal solution w∗.Now, we focus on the calculation ∂l

∂wxi[j] which is equal to:

= ∂(− 1N

∑(ci,ri),i=1,...,N

ln(σ(∆y)ri(1− σ(∆y))1−ri))/∂wxi [j]

= − 1N

∑(ci,ri),i=1,...,N

[ri(1− σ(∆y))− (1− ri)σ(∆y)] ∂∆y

∂wxi [j] .

We have∂∆y

∂wxi [j] = ∂gy

∂wxi [j] = ∂gy

∂[δ(∆x) + e(∆x)]∂[δ(∆x) + e(∆x)]

∂wxi [j]

= ∂gy∂[δ(∆x) + e(∆x)]

∂e(∆x)∂∆x

∂∆x

∂wxi [j]

(since δ′(∆x) = 0 as explained above).But if we consider using the linear approximation with this attack where we fix

rx = 0 + e(∆x), then we also have the same result, i.e.,

∂∆y

∂wxi [j] = ∂gy

∂[δ(∆x) + e(∆x)]∂e(∆x)∂∆x

∂∆x

∂wxi [j] ,


since ∆x is exactly equal to 0 with probability 0 and outside ∆x = 0, δ(∆x) has derivative0.

This fact implies that we cannot distinguish the partial derivative of the iPUF fromthat of the linear approximated model of the iPUF. From this analysis, we conclude thatLogistic Regression attacks are equivalent to Logistic Regression attacks that use the linearapproximation. Due to this fact, the iPUF can mitigate Logistic Regression attacks justlike it can mitigate attacks that use the linear approximation by choosing y ≥ 3.

We already proved that the (x, y)-iPUF with the interposed bit position in the middleis equivalent to a (y + x

2 )-XOR APUF in terms of general security. From Inequality (6),we can now argue that y + x

2 < 10 in order to defeat derivative free modeling attackson a (y + x

2 )-XOR APUF: The number 10 is reported in [TB15], where it is shown thatif y + x

2 = 10, then the state-of-the art derivative based machine learning attacks areinfeasible on a (y+ x

2 )-XOR APUF. This means that iPUFs require less APUF componentsthan an XOR APUF to be secure. As a result, iPUFs are better in terms of security,reliability and hardware overhead compared to XOR APUFs.

Deep Neural Network Attacks on the iPUF: To the best of our knowledge, there isno theory which can tell us the lower bound of the number of required CRPs for usingdeep neural networks to attack iPUFs. Instead, we leverage the relationship between XORAPUFs and iPUFs we previously developed to map this problem to attacking XOR APUFsusing deep neural networks. In this attack, the deep neural networks need to learn thestructure of the XOR APUFs (no specific mathematical model is assumed). Essentially,this means deep neural networks use a black box learning approach. However, LogisticRegression use a precise mathematical model of the XOR APUF. This means LR is morepowerful for attacking XOR APUFs as compared to deep neural networks. Hence, ifwe use choose x, y such that (y + x

2 )-XOR APUF is secure against Logistic Regressionattacks, then we know that the (x, y)-iPUF with the interpose bit in the middle is alsosecure against deep neural network attacks. For example, we can choose x = 2, y = 9(such that y + x

2 = 10), interpose bit i = 32, and challenge length n = 64, knowing that64-bit 10-XOR APUF is secure against Logistic Regression attack in practice [TB15]. Thedetailed experimental results for deep neural network attacks on XOR APUFs can befound in Section 8.2.2.

(CRP-based) CMA-ES Attacks on the iPUF: CMA-ES as a derivative-free opti-mization method, is always less efficient than a derivative-based optimization method,like Logistic Regression. This is because the derivative tells the best direction towardsthe optimal solution. So far there is no theory for the lower bound on the number ofrequired CRPs for using CMA-ES to model iPUFs or XOR APUFs. Hence, we use thesame methodology as we discuss for deep neural networks above. Furthermore, comparingCRP-based CMA-ES to Logistic Regression, experimentally (see Section 8) we can see thatin general Logistic Regression can model an XOR APUF with higher accuracy using lessCRPs than CRP-based CMA-ES. Therefore, the (x, y)-iPUF can be secured against theCRP-based CMA-ES attacks by setting x, y such that (y + x

2 )-XOR APUFs are resilientagainst Logistic Regression.

PAC-Learning Attacks on the iPUF: In [GTS15, GTS16, GTFS16], the authorsproposed two novel modeling attacks for the PAC learning problem. PAC learning attackscan be divided into three categories: Boolean functions based attack [GTFS16], Perceptronattack [GTS15], and Deterministic Finite Automata (DFA) attack [GTS16].

The attack described in [GTFS16] does not work for the iPUF because of the followingreason. As described in [GTFS16], assume that if the PUF has k number of influentialbits (or average sensitivity) (see Section 2.2 and Theorem 3 in [GTFS16] for the detaileddefinition), then this PUF can be ε-approximated by another Boolean function h depending


Attacks

on only a constant number of Boolean variables K, where

K = ekε×(2+

√2ε log2(4k/ε)

k ) > e2kε .

We notice the definition of influence of variable i in Section 2.2 in [GTFS16] is equivalentto the definition of SAC in Section 7. As shown in [GTFS16], for a n-bit (x, y)-iPUF withinterposed position j, k can be computed as follows:

k =n∑

i=0,i6=jpi

Eq.(28)=n∑

i=0,i6=j

1 + (1− 2 in )x

21− (1− 2 i

n+1 )y

2

+1− (1− 2 in )x

21− (1− 2 |i−j|n )y

2 .

For 64-bit (3, 3)-iPUF with interpose position j = 31, k = 25.2. Hence, even if weconsider a very weak approximated function h with ε = 0.5, then K = e25.2×2/0.5 > e100 >2100. However, Theorem 3 in [GTFS16] tells us that if K is small then we can model thePUF and it does not confirm that we cannot approximate the iPUF by a Boolean function.To show the resistance against the attack described in Theorem 4 in [GTFS16], we need todo one more step, i.e., we apply k-junta testing [Bea] for our iPUF. The k-junta testing weimplemented follows [Bea] and it is fully explained in Appendix A.4. We applied this test6

with k = 63 and ε = 0.2 to the most simple version of an iPUF, i.e., 64-bit (1,1)-iPUF, insimulation. Since k-junta testing is a randomized test with a certain correct probability,we ran the test for 100 times. It consistently outputs that it is not a 63-junta after 100runs. Let us analyze our confidence in this result below.

Let 1− p denote the probability such that the outcome O of a k-junta test correctlymatches the ground truth T . Suppose we perform m times a k-junta test leading to anoutput pattern with m− y “No” and y ”Yes” outcomes. Since ground truth is either alloutcomes are “No” or all outcomes are “Yes”, we know that, conditioned on the outputpattern, the k-junta tests either correctly matches ground truth T a total of m− y times(where O = T equals “No”) and incorrectly matches T a total of y times (where O equals“Yes”) or correctly matches ground truth T a total of y times (where O = T equals “Yes”)and incorrectly matches T a total of m− y times (where O equals “No”). This gives

Pr(T = “No”|output pattern) = py(1− p)m−y

py(1− p)m−y + pm−y(1− p)y = 1

1 +(

p1−p

)m−2y .

Since k-junta testing has the property p ≤ 1/3, we have p/(1− p) ≤ 1/2, hence,

Pr(T = “No”|output pattern) ≥ 11 + 2−(m−2y) ≥ 1− 2−(m−2y).

In our execution of k-junta testing we used m = 100 and observed y = 0. Conditioned onthis observation we conclude that T equals “No” with probability ≥ 1− 2−100 based onthe derived formula.

This result can be explained intuitively because the influence of any challenge biti (or SAC property of i) is larger than 0 in an iPUF (see Section 7.2 for theoreticalanalysis of SAC of iPUF, and see Figure 6 for its experimental validation). In other words,it means that every challenge bit has a contribution to the final response of an iPUF.Since the computed k = 64, the time complexity for the attack used in [GTFS16] on

6ε measures the modeling inaccuracy of the given function by any k-junta, and it is taken from therange between 0 and 1. By setting ε = 0.2, in the k-junta test, we are testing whether there exists ak-junta that can model the given function with at least 80% accuracy.


64-bit (1,1)-iPUF will be O(6464) which makes the attack infeasible (see the discussionin Theorem 4 in [GTFS16]). Moreover, we performed k-junta testing with the samesetup for (1,1)-iPUF on 64-bit 2-XOR APUF and APUF, and the results turn out tobe 64, which is consistent with the SAC property analysis of XOR APUFs and APUFsin [MKP09, DGSV14, NSCM16].

If we compare the LR attack on XOR APUF in [RSS+10, TB15] with the Perceptronattack on XOR APUF in [GTS15] or with the DFA attack on XOR APUF in [GTS16](DFA attack is demonstrated on APUFs, but [GTS16] also claims that it is possible toattack XOR APUFs with some modifications), we can see that the LR algorithm is muchmore powerful. The reasons are LR algorithm has a much smaller searching space, uses theXOR APUF mathematical model, and uses information of the gradient in an optimizationprocess. As shown in Section 6.3, the (x, y)-iPUF is equivalent to the (y + x/2)-XORAPUF under classical ML. Therefore, the attacks in [GTS15, GTS16] do not work for theiPUF when x and y are properly chosen.

7 Reliability Analysis and Strict Avalanche Criterion of(x, y)-iPUF

7.1 Reliability of the (x, y)-iPUFWe develop a formula for computing the noise of the x-XOR APUF where the noise rateof all APUFs are the same, i.e., all APUFs have a noise rate of β, 0 ≤ β ≤ 1. Let βx bethe noise rate of the x-XOR APUF. For a given challenge c, if there is an odd number ofnoisy APUF responses, then XOR APUF’s output is noisy. Hence,

βx =x∑

j=0,j is odd

(x

j

)βj(1− β)x−j

= 1− (1− 2β)x

2 . (23)

Now, we compute the unreliability (i.e. the noise) of the (x, y)-iPUF. We consider thefollowing two cases.

Case I: The output of the x-XOR APUF is reliable. This event occurs withprobability 1− βx, in which case the noise rate of the output of the iPUF denoted as βI isequal to the noise rate of the y-XOR APUF denoted as βy, i.e.,

βI = βy = 1− (1− 2β)y

2 . (24)

Case II: The output of the x-XOR APUF is unreliable. This event occurs withprobability βx. In this case (see Section 6.4.1), each APUF in the y-XOR APUF will havenoise β′ = β(1− i

n ) + (1− β) in = β + (1− 2β) in . Hence in this case, the noise rate of theiPUF, denoted as βII , is equal to the noise rate of the y-XOR APUF where all APUFshave the noise rate β′, i.e.,

βII = 1− (1− 2β′)y

2 =1− (1− 2(β + (1− 2β) in ))y

2

=1− (1− 2β)y(1− 2 in )y

2Eq.(24)=

1− (1− 2βy)(1− 2 in )y

2 . (25)


Attacks

Therefore, the noise rate of the (x, y)-iPUF, denoted as βiPUF , is equal to

βiPUF = (1− βx)βI + βxβII = βy + βx(βII − βy)

= βy + βx(1− (1− 2βy)(1− 2 in )y

2 − βy)

= βy + βx2 (1− 2βy)(1− (1− 2i

n)y). (26)

The following examples confirm the correctness of Eq.(26). If i = 0, then we haveβiPUF = βy. When i = 0, the (x, y)-iPUF is basically equivalent to the y-XOR APUF.Therefore, the calculated result βiPUF = βy is confirmed.

If i = n and y is odd, then from Eq.(26), βiPUF = βx + βy − 2βxβy = βx(1 − βy) +βy(1− βx) = β(x+y)−XOR APUF. We know that when i = n and y is odd, the (x, y)-iPUFis exactly the (x+ y)-XOR APUF. Hence, the calculated result βiPUF = β(x+y)−XOR APUFis confirmed.

7.2 Strict Avalanche Criterion of (x, y)-iPUFThe SAC property is an important security feature as discussed in [MKP09, DGSV14,NSCM16]. Here we analyze the SAC property of the (x, y)-iPUF. Assume that the outputrx of the x-XOR APUF is interposed at position j in the challenge to the y-XOR APUF,j = 0, 1, . . . , n. We would like to compute the probability that flipping a bit in the inputresults in the flipping of the output bit of the (x, y)-iPUF. This analysis for the (x, y)-iPUFis similar to the analysis we did for the APUF in Section 6.2:

pi = Prc(rc[i]=0 6= rc[i]=1), i = 0, 1, . . . , n− 1 (27)

where rc[i]=0 and rc[i]=1 are the output of the (x, y)-iPUF when bit c[i] = 0 and c[i] = 1,respectively, while all the other challenge bits are same. To compute pi, we consider thefollowing two cases:

Case I. c[i] flips, rx does not flip, r flips. In this case, we flip challenge bit c[i] butthe output rx of the x-XOR APUF does not flip and the (x, y)-iPUF’s output r flips (i.e.,rc[i]=0 6= rc[i]=1). From the analysis in Section 6.2, we know that if the challenge bit c[i]flips, then the output of an APUF in an x-XOR APUF will flip with expected probabilityp = i

n and thus, the output of x-XOR APUF will flip with an expected probabilitypx = 1−(1−2p)x

2 . In other words, rx will not flip with a probability px = 1−px = 1+(1−2p)x2 .

When rx is not flipped due to c[i] flipping, the output of an APUF in the y-XOR APUFwill be flipped by flipping c[i] with a probability p′ = i

n+1 . Thus the probability that rxdoes not flip (and r flips) when flipping c[i] is equal to:

pI = 1 + (1− 2p)x

2 · 1− (1− 2p′)y

2 .

Case II. c[i] flips, rx flips and r flips. If rx flips because c[i] flips, then there are twoflipping challenge bits at position i and j in the input challenge to the y-XOR APUF. Inthis case, the output of an APUF in the y-XOR APUF will be flipped with a probabilityp′′ = |i−j|

n+1 . The computation for p′′ is beyond the scope of this paper but a detailedderivation of it can be found in [NSCM16]. Thus the output r will flip with a probability

pII = 1− (1− 2p)x

2 · 1− (1− 2p′′)y

2


0

0.25

0.5

0.75

1

0 16 32 48 64

p i

Challenge Bit Index (i)

theoretical simulation

Figure 3: SAC property of 64-bit (3,3)-iPUF with theoretical and simulation data.

Therefore, we have

pi =pI + pII (28)

=1 + (1− 2p)x

2 · 1− (1− 2p′)y

2

+ 1− (1− 2p)x

2 · 1− (1− 2p′′)y

2

=1 + (1− 2 in )x

2 ·1− (1− 2 i

n+1 )y

2

+1− (1− 2 in )x

2 ·1− (1− 2 |i−j|n )y

2

We experimentally verify our calculations for the SAC property of the (3, 3)-iPUF andthe result is described in Fig 3. The simulation of the SAC property is computed by using20,000 pairs of CRP for computing each pi.

8 Simulation ResultsWe provide simulation results in this section to support the major security and reliabilityclaims made regarding the iPUF.

8.1 Experimental Verification of the Classical Machine Learning Hier-archy

In this section we experimentally verify Theorem 1 regarding the efficiency of differentclassical machine learning attacks. Recall that we stated LR is more efficient in attackingan XOR APUF than CMA-ES and Deep Neural Networks. To provide empirical evidencesof this we ran the following experiment: We ran these three attacks on a 4-XOR APUFwith various numbers of CRPs as shown in Table 3.

We ran CRP-based CMA-ES with 200,000 CRPs (Figure 2) and 500,000,000 CRPs(Section 8.2.2). Regardless of the two possible CRPs numbers used, CRP based CMA-EShad a prediction accuracy of around 50%, clearly showing that the attack fails. Whenwe use a deep neural network with 30,000 CRPs the highest accuracy we can achieveafter 10 runs is 94% which is significantly better than CRP based CMA-ES with a smallernumber of CRPs. Lastly in Table 3 we run the LR attack which is the most efficient ofall the classical attacks tested here. LR attacks requires only 12,000 CRPs to achieve a


Attacks

Table 3: Prediction accuracy of different algorithms using the same amount of CRPs fortraining.

#CRPs LR DNN CMA-ES12,000 98% 55% 50%30,000 99% 94% 50%

Table 4: Vulnerability of different PUF designs to machine learning attacks. CML=ClassicalMachine Learning attack, RML=Reliability based Machine Learning attack, LA-RML=Linear Approximation Reliability based Machine Learning attack, LA-CML=LinearApproximation Classical Machine Learning attack.

PUF Design6-XOR APUF (1,1)-iPUF (3,3)-iPUF

Attack CML 50.2% (7) † 82.4% (X)‡ 52.9% (7)

RML 84.0% (X) N/A(7) N/A (7)LA-CML N/A(7) 74.0% (X) 49.0% (7)LA-RML N/A(7) 73.0% (X) 48.0% (7)

† Attack fails‡ Attack works

prediction accuracy of around 99% [RSS+10]. Thus, from these experimental results wecan empirically show that LR is the most efficient attack on XOR APUFs, followed bydeep neural networks. The least efficient classical machine learning attack is CRP basedCMA-ES.

8.2 iPUF Security8.2.1 Simulated Machine Learning Attacks On iPUF and XOR APUF

To compare the vulnerabilities of the XOR APUF and various iPUF configurations tomachine learning attacks we used the following setup: We simulated a 64-bit 6-XOR APUF,a 64-bit (1, 1)-iPUF and a 64-bit (3, 3)-iPUF using Matlab. Note that, all the iPUFs havethe interposed bit in the middle position.

The APUF components that make up each PUF design use weights that follow anormal distribution with µ = 0 and σ = 0.05. The noise for each weight follows a normaldistribution N (0, σ2

noise). The distribution of each weight is therefore N (0, σ2 + σ2noise).

In our simulations, we used the following relation between σ and σnoise to control thereliability levels: σnoise = γσ, where 0 ≤ γ ≤ 1. For γ = 0, a PUF instance is 100% reliable.Note that this model does not include the noise introduced by the arbiter circuit itself, butit still properly serves our analysis purpose. The reason is that in practice, the hardwarefootprint of a switch and an arbiter are roughly same. Hence, the noise introduced by anarbiter circuit is very small compared with all the noises introduced by all switches in anAPUF because there are multiple switches but only one arbiter in an APUF. Also, thissimulation method is widely used in literature and it has been have observed that thismethod matches what occurs in practice [Bec15, DV13].

On each respective PUF design we run three different machine learning attacks (two inthe case of the XOR APUF). We perform a classical machine learning attack (denotedas CML in Table 4), the reliability based CMA-ES attack (denoted as RML in Table 4)and the linear approximation to the classical and reliability based machine learning attack(denoted as LA-CML and LA-RML in Table 4 ).

Each attack in Table 4 is performed using CMA-ES to optimize the mathematical modelfor 1000 iterations. Each attack uses 200,000 CRPs for training (or 200,000 challengereliability pairs in the case of the reliability attacks). The accuracy of the attack iscomputed based on a testing dataset of 2000 CRPs. We compute the accuracies reported


in Table 4 by running each attack 10 times and taking the average. Note the accuracy ofbest-working attacks is not much different from the average one (1% or 2% difference).

The security of the 6-XOR APUF is shown in Table 4 in the first column. It is clearthat an XOR APUF using a large number of APUF components (in this case 6) canmitigate classical machine learning attacks, given the amount of training data provided inthis setup. However, the 6-XOR APUF is still highly vulnerable to reliability-based MLattacks. This result is demonstrated in Table 4 as the reliability based CMA-ES attackachieves an average accuracy of 84% on this PUF design. Note that we do not run anyattacks on the 6-XOR APUF that use the linear approximation because these types ofattacks are specific to the iPUF.

The resilience of the (1, 1)-iPUF to classical machine learning, LA-CML and LA-RMLis shown in column two of Table 4. We note the following: As hypothesized, the (1, 1)-iPUFis vulnerable to classical machine learning due to its low model complexity. However, thelinear approximation reliability based CMA-ES attack (LA-RML) works on the (1, 1)-iPUFwhich may seem unexpected given our previous claims. Recall that in general the reliabilitybased CMA-ES attack cannot be performed on any iPUF design (hence the X in entryfor the reliability-based ML attack for the (1, 1)-iPUF). This is because the input to they-XOR APUF is unknown and therefore ∆ cannot be computed. However, in our LA-RMLattack on the (1, 1)-iPUF and (3, 3)-iPUF we do not use the original formulation of thereliability based CMA-ES attack. To make the attack work on iPUF configurations weassume the interposed bit to be 0. By doing this we can now compute ∆ and treat the(1, 1)-iPUF as a single APUF. In section 6.5 we showed that for the (x, 1)-iPUF usingany ML technique with the linear approximation would have an upper bounded modelaccuracy of 75%. The model accuracy produced by the LA-RML and LA-CML on the(1, 1)-iPUF in Table 4 closely matches our theoretical upper bound.

The security of the (3, 3)-iPUF against classical machine learning, LA-CML and LA-RML is shown in the third column of Table 4. It can clearly be seen that all attacks fail toproduce an accurate model of the (3, 3)-iPUF. Due to the high model complexity, the (3, 3)-iPUF is not vulnerable to the classical machine learning attack, just like the 6-XOR APUF.Just like for the (1, 1)-iPUF, the reliability based CMA-ES attack cannot be performed onthe (3, 3)-iPUF. When we run the linear approximation reliability based CMA-ES attack,due to the higher y, the accuracy of the model generated by any method that uses thelinear approximation is theoretically upper bounded at 75% (See Eq. (22)). This coincideswith the low accuracy of the model generated by both the linear approximation reliabilitybased CMA-ES attack and the linear approximation CRP based CMA-ES. Overall ourexperimental results for this section support our claim that the (x, y)-iPUF with properparameter choices is secure against all current state-of-the-art of machine learning attacks.

8.2.2 Some Notes on x-XOR APUF

Under state-of-the-art classical ML, the x-XOR APUF must resist Logistic Regressionattacks, deep neural network attacks and CRP-based CMA-ES attacks. However, theiPUF only needs to mitigate deep neural network attacks and CRP-based CMA-ES attacks(since Logistic Regression attack is not possible). In this section we present experimentsto determine y + x/2 in an (y + x/2)-XOR that resists both aforementioned attacks.Based on these results we can use the equivalence proof developed earlier to determine thecorresponding (x, y)-iPUF parameters.

We ran CRP-based CMA-ES attacks and deep neural network attack experiments todetermine the minimum value of y + x/2 to create a secure PUF design. We ran CRPbased CMA-ES for 2,000 iterations using 500,000,000 CRPs for training and 2,000 CRPsfor testing. In this experiment we run a parallelized version of CMA-ES in C# using anIntel Xeon E5-2680 14 core machine with 128 GB of RAM. In this setup the maximumnumber of CRPs we can use is limited by the RAM (storing the CRPs in a byte data array


Attacks

Table 5: Modeling accuracy using a Deep Neural Network

XOR number Bit Number64 128 256

5 0.987 0.986 0.9756 0.976 0.977 0.5337 0.976 0.491 -8 0.513 - -9 0.502 - -

− The result is not available.

in C#). On a 128 bit 4-XOR APUF the average accuracy for 10 attack runs on the testingset was 51.77%.

In deep neural network attacks, the adversary uses the challenge transformationmapping (see Eq. (1)) and a deep neural network for the attack (contrary to the pureblack box attack which only employs the deep neural network without the challengetransformation mapping). The first study on how to implement deep neural networkattacks on APUF based designs including iPUF (for small x and y) was done by Praneshet.al [SBC19, SBC18]. For our deep neural network experiments we created a feed forwardneural network. Our neural network structure is as follows: 3 hidden layers with 100,60 and 20 neurons respectively, and a Softmax layer on the output. For the neuronsin the hidden layers, we used a sigmoid activation function. Our network is trained byminimizing the cross-entropy loss function using the optimization technique ADAM [KB14].We trained our network for 20 epochs using 2,000,000 CRPs (with a batch size of 128) anduse 2,000 CRPs for testing.

In our computational setup we use an Intel Xeon E5-2680 14 core machine to generatethe CRPs and corresponding responses in parallel in C#. We then load this data intoTensorFlow in Python and train the neural network using an Nvidia Titan V GPU.In our setup the data generation and network training are run efficiently through CPUparallelization in C# and GPU parallelization in Python respectively. However, transferringthe CRP data between C# and Python creates a bottleneck that limits the amount ofdata we can load in a feasible amount of time to 2,000,000 CRPs. Re-coding of the neuralnetwork in C# using Microsoft’s Cognitive Toolkit is needed to go beyond 2,000,000 CRPs.

For our neural network implementation please refer to our open source code publiclyavailable on Github. Using the neural network configuration and training data describedabove, we are unable to model ≥ 8-XOR APUF with 64 bits, ≥ 7-XOR APUF with 128bits and ≥ 6-XOR APUF with 256 bits given 2,000,000 CRPs. For the full neural networkattack results please see Table 5.

8.3 Enhanced Reliability Based CMA-ES Attack On APUFWhen modeling both APUF and XOR APUF designs, the original reliability based CMA-ES attack can be improved by using more precise fitness functions (see Section 4.2).This is significant because due to the improved modeling offered by (Rcdf , R

′cdf) and

(Rabsolute, R′absolute), the reliability based CMA-ES attack can now work with less training

data, where before the original attack would fail. When sufficient training data is available,the proposed fitness functions give more accurate models than the original fitness function.Table 6 depicts the modeling accuracy of the reliability based CMA-ES attack on a 64-bitAPUF. In this set of simulations σnoise = σ/10, giving the APUF a reliability of around96 − 97%. From Table 6, it is evident that the reliability based CMA-ES attack usingour proposed model (Rabsolute, R

′absolute) and (Rcdf , R

′cdf) outperforms the reliability based

CMA-ES attack using the original model (Roriginal, R′original) as proposed in [Bec15]. This is

due to both proposed models using the proper reliability ranges. In addition, (Rcdf , R′cdf)


Table 6: A comparison of 64-bit APUF’s modeling accuracy using CMA-ES

N†Modeling Accuracy(%)

(Roriginal, R′original) (Rabsolute, R

′absolute) (Rcdf , R

′cdf)

600 60.33 78.27 96.021500 69.60 96.64 97.803000 97.49 97.65 98.386000 97.85 97.98 98.40† No. of CRPs is used to train a model.

Table 7: Modeling results of 4-XOR APUF using CMA-ES and different reliability modelsModelsetup N†

Modeling Acc.(%) Frequency?A0 A1 A2 A3 A0 A1 A2 A3

(Ro.,R′ o.

) 10× 103 65.10 66.17 67.40 68.96 0 0 0 020× 103 98.08 97.91 98.23 98.33 1 4 3 130× 103 98.27 98.06 98.27 98.39 19 10 6 350× 103 98.31 98.16 98.37 98.44 39 20 17 10

(Ra.,R′ a.

) 10× 103 97.53 97.09 97.10 95.24 22 24 31 820× 103 97.86 97.75 97.74 97.78 24 29 29 1730× 103 98.08 97.89 98.02 98.12 47 27 20 650× 103 98.17 98.06 98.23 98.27 50 29 16 5

† No. of CRPs is used to train an APUF as well as 4-XOR APUF models.? No. of correct models (prediction accuracy > 90%) for Ai out of 100 runs ofCMA-ES.

outperforms (Rabsolute, R′absolute) as both the response polarity and reliability information

are considered in (Rcdf , R′cdf).

8.4 Enhanced Reliability Based CMA-ES Attack On XOR APUFTo demonstrate the improvement (Rabsolute, R

′absolute) offers, we simulated a 4-XOR APUF

and ran the reliability based CMA-ES attack 100 times using both (Rabsolute, R′absolute)

and (Roriginal, R′original). In this simulation each APUF has a σnoise = σ/10, giving it a

reliability of around 96− 97%. The results of this simulation are shown in Table 7. Wereport two aspects in Table 7: i) modeling accuracy and ii) frequency of the correctAPUF models (a correct model has a prediction accuracy greater than 90%). From theresults of Table 7 it is clear that (Rabsolute, R

′absolute) is able to generate more correct APUF

models than (Roriginal, R′original). Note that in the case where N = 10× 103, CMA-ES using

(Rabsolute, R′absolute) can successfully model all the APUF components but (Roriginal, R

′original)

fails to build any correct APUF models. Our enhancement to the CMA-ES attack resultsin a more efficient modeling of an XOR APUF.

8.5 Reliability Simulation of the iPUF and XOR APUFTo compare the reliability of the (x, y)-iPUF to the (x+ y)-XOR APUF we simulated a(x + y)-XOR APUF, (x, y)-iPUF, x-XOR APUF and a y-XOR APUF for x = 20, andy = 2 and y = 3. In the simulation, we have 64-bit APUFs, each with a noise rate definedby setting σnoise = 0.05σ. To estimate the reliability, we evaluated each PUF design with10,000 randomly generated challenges. Each challenge is measured 11 times to determinewhether it is noisy or not. If the repeatability of a challenge is 100%, we say it is reliable;otherwise, it is a noisy challenge. The reliability of a PUF is estimated as the fraction ofreliable challenges.

We varied the interpose position i of the iPUF from 0 to 64. For each interpose position


Attacks

(a) x = 20 and y = 2 (b) x = 20 and y = 3

Figure 4: Noise rate of (x+y)-XOR APUF, (x,y)-iPUF, x-XOR APUF and y-XOR APUFwhen the noise rate of each APUF is around 0.05.

we measured the reliability of the (x, y)-iPUF. In the same figure we also plot the reliabilityof the (x+ y)-XOR APUF, x-XOR APUF and y-XOR APUF. The simulated results arepresented in Figure 4.

Figures 4a and 4b show that the noise rate of the (x+ y)-XOR APUF and the x-XORAPUF are close to each other as the value of y is very small compared to the value of x(i.e. y = 2 or y = 3). The noise rate of the y-XOR APUF is very small compared to the(x+ y)-XOR APUF and the x-XOR APUF. The noise rate of the (x, 3)-iPUF increaseswhen the interpose bit position increases from 0 to 64. However, the noise rate of the(x, 2)-iPUF reaches the maximum value at interpose position 32. This is due to the parityof y (see Eq. (17)). The noise rate of the (x, 3)-iPUF is equal to half of the noise rate ofthe (x+ 3)-XOR APUF when i is in the middle position. The experiments confirm ourfindings related to reliability in Section 7.

9 iPUF ImplementationIn order to validate our iPUF security and reliability claims, we implemented our proposediPUF designs on an FPGA board. In this section, we describe the FPGA implementationdetails and related experimental results. We also discuss the limitations of FPGA basedAPUFs on composite PUF (XOR APUF and iPUF) security.

Good Implementation and Bad Implementation. Having a theoretical secure designis not enough. Besides a secure design, one also needs a proper implementation that meetsthe assumptions used in the security analysis of the design. The hidden assumption usedin the security analysis of the iPUF is that we have good APUF instances, i.e., all theweights w[i] (see Eq. 1) of the APUFs are sampled from the same distribution N (0, σ2).Failure of this condition in a practical APUF implementation would reduce or severelydamage the security of the iPUF. In this section, we will show that badly implementedAPUFs lead to a vulnerable iPUF which can be broken by the reliability-based CMA-ESattack. We show that a properly implemented iPUF defeats the reliability-based CMA-ESattack.

9.1 iPUF Implementation DetailsIn our iPUF design we implemented every stage (switch) of each APUF by using a Look-UpTable (LUT)7 on a Digilent Nexys 4 DDR board with Xilinx Artix-7 embedded [Dig16].

7In particular on our board, each stage is implemented by a 6-input 2-output LUT, where the twooutputs serve as the outputs of upper and lower paths and only three inputs are used as the inputs ofupper and lower paths and the challenge bit. We notice that Programmable Delay Line (PDL) is a widely


The LUTs are chained together and the final output is collected by a flip-flop serving asan arbiter. The main issue in implementing any iPUF design is to make sure that theresponse rup of the upper layer XOR APUF is ready when the interposed position of thelower layer XOR APUF is evaluated. To solve this issue, we added one more signal fromthe upper layer XOR APUF to inform the control circuitry when rup is ready. Once thesignal is received the lower layer XOR APUF evaluates its input.

Desirable statistical properties of a PUF include uniqueness, reliability and uniformity.It has been experimentally verified that uniqueness is a serious issue when implementingFPGA based APUFs [MGS11, HYKS10]. The main reason implementing unique APUFson FPGAs is problematic [MYIS14, MGS11] is because the designers are not allowed toprecisely control the routing between each LUT. The delay difference induced by routing ismuch larger than the delay difference introduced by process variation. Thus, the behaviorof one APUF on an FPGA is largely determined by the placement and routing of theLUTs. Controlling the routing between the LUTs maintains the balance of the length ofthe two competing paths.

In practice, in order to keep the balance between the delays of two competing paths,usually one switch chain is kept in one column of slices on an FPGA. However, in ourAPUF implementation on a Digilent Nexys 4 DDR with Xilinx Artix-7 embedded [Dig16]there are four LUTs in each slice of the FPGA. Due to the configuration on this hardware,a choice must be made on how to connect the LUTs inside a slice or between two adjacentslices to form the switch chain. Since the behavior of each APUF is dominated by therouting difference between the two paths, each switch chain must be placed differently foreach APUF, in order to create unique APUFs. Note this design strategy only alleviatesthe uniqueness issue on a single FPGA. If the same bitstream is used to program differentFPGAs, the difference between the same APUFs on different FPGAs will be very small.Thus, this is not a general design strategy to improve the uniqueness of APUFs on FPGA,but it is sufficient for us to conduct our experiments.

We have two different ways to place the switch chains: (1) Random placement [BadImplementation]: we randomly select one LUT in each slice and then connect them to-gether. (2) Pattern placement [Good Implementation]: we place the switches accordingto a pre-defined pattern. For example, we only use LUT A and LUT B in every slice.

According to our experiments, each design strategy has advantages and disadvantages.For the random placement design strategy, the advantage of this method is that it gives usmany options to build unique APUFs. Here we define two APUFs as being non-uniquewhen their responses are the same for more than 60% of the challenges8. Initially, wegenerated 100 different switch chains using random placement. After extensive evaluation,we selected 23 placements of the APUFs, which can provide APUFs with good uniformity(50.2% - 61.6%) and good uniqueness/inter-hamming distance (39.5% - 59.0%). The noiserate of these APUFs under room temperature is between 0.66% and 1.25%. However, withgood statistic properties, comes a security weakness in the APUFs. Since the routingbetween each adjacent switches is randomly selected, there are a few delays that aresignificantly larger than the other delays. This effectively introduces a few significantweights in the weight vector (see Eq. 1) of this APUF. As a result the difficulty of allmachine learning attacks is reduced since only these significant weights need to be preciselymodeled (instead of having to precisely learn all the weights). This gives a bad PUFimplementation and therefore it can now be broken by ML attacks. We built the modelof individual APUFs to understand the distribution of weights. The standard deviationof the weights of the APUFs created by random placement ranges from 4.23 to 7.48. As

used technique to implement APUFs [MKD10], but we did not choose to use it due to the poor uniquenessof PDL-based APUFs according to a recent study [SCM15].

8For FPGA implemented APUFs, 60% uniqueness is considered sufficiently close on its ideal value 50%,due to the difficulty of controlling the routing between LUTs. As it is shown in our experiments, only 23out of 100 can satisfy this requirement. Our results are in agreement with [SCM15].


Attacks

Table 8: Results of reliability based machine learning attack on XOR APUFs with realmeasurements from the FPGA.

#CRPs used in oneattack

Overall Noise Rate Average PredictionAccuracy

2-XOR 50,000 1.44% 98.22%3-XOR 90,000 2.38% 96.38%4-XOR 140,000 2.92% 96.15%5-XOR 200,000 3.80% 96.62%6-XOR 260,000 4.47% 91.58%*

*Note that the attack on 6-XOR APUF only recovered 5 out of 6 models. The attacks on 2,3,4,5XOR APUFs successfully recovered all the models.

we will explain shortly, the standard deviation is much smaller for the pattern placementdesign strategy, but this method has its own drawbacks.

For the pattern placement design strategy, there are a very limited number of patternswe can generate and some APUFs formed by different placement patterns are not unique.After exhaustively trying 11 patterns9, we found only 4 placement patterns that cangenerate 4 unique APUFs. The uniqueness limitation of this design strategy gives us veryfew options to form an iPUF design with more than 4 APUFs in total. However, thepattern placement design strategy does not have the same security weakness as the randomplacement design strategy. This is a good PUF and the PUF is secure against ML attacks.We also built the model of individual APUFs to understand the distribution of weightsin this design. The standard deviation of the weights of the APUFs created by patternplacement ranges from 1.11 to 3.77. Using this design strategy we do not observe the sameeffect of only a few influential weights (unlike in the random placement design strategy).

Since the design strategy will largely influence the experimental results that we willpresent later, we will clearly state how the APUFs are generated for each experiment.

9.2 Experimental Results

Reliability-Based Machine Learning Attack on XOR APUFs: First, we repeatedthe enhanced reliability based CMA-ES attack in Section 8.4 on XOR APUFs to validatethe effectiveness of our attack. In this experiment, we selected 6 unique APUFs createdby random placement to form a 6-XOR APUF on the FPGA. We then measured 300,000CRPs with each CRP measurement repeated 11 times to get 300,000 challenge reliabilitypairs. The number of challenge reliability pairs used for one CMA-ES attack and themodeling results after 100 runs of CMA-ES are presented in Table 8.

Reliability-Based Machine Learning Attack on iPUFs: To show the machine learn-ing resistance of the iPUF to the enhanced reliability-based CMA-ES attack, we performthe attack on a (1,1)-iPUF. We do not test this attack on iPUF designs with more APUFcomponents because our security against reliability-based machine learning attacks doesnot depend on the number of APUF components.

We used two APUFs created by pattern placement [Good Implementation] to forma (1,1)-iPUF with an interposed position exactly in the middle in the lower APUF. Wemeasured 200,000 CRPs with each CRP measurement repeated 11 times to get the challengereliability measurements. We then sampled a subset of 90,000 challenge reliability pairsout of the 200,000 challenge reliability pairs to run the reliability-based CMA-ES attack.CMA-ES was not able to converge to the upper APUF after 10 runs. This validated our

9Since there are only four LUTs (A, B, C, and D) in a slice, we can only construct 11 different patterns:1 pattern that uses all four LUTs in each slices, 6 patterns that uses a combination of two LUTs in eachslices (AB, AC, AD, BC, BD, and CD), 4 patterns that uses one LUTs in each slices (A, B, C, and D).


0.5

0.6

0.7

0.8

0.9

1

1-XP

2-XP

3-XP

4-XP

5-XP

6-XP

(1,5)

-IP

(2,4)

-IP

(3,3)

-IP

(4,2)

-IP

(5,1)

-IP

Pred

ictio

n A

ccur

acy

Figure 5: Results of CRP based CMA-ES attacks on APUF (1-XP), x-XOR APUFs (x-XP)and ((x, y))-iPUFs ((x, y)-IP).

security claim that the iPUF structure can prevent reliability based machine learningattacks. Unfortunately, due to the uniqueness issue of pattern placed APUFs, we werenot able to test the security of the (3,3)-iPUF as we did in our experimental simulations.We also observed that if the component APUFs are created by random placement [BadImplementation], CMA-ES was able to break it. We give a detailed analysis of thisphenomenon in Section 9.3. We want to clarify the fact that the reliability-based CMA-ESattack can break the iPUF because of the improper implementation in the case ofrandom placement, i.e., not because of any design flaws of the iPUF.

Classical Machine Learning Attacks on XOR APUFs and iPUFs: In this sub-section we conduct experiments to verify the claim that the model complexity of an(x, y)-iPUF is similar to that of a (y+x

2 )-XOR APUF. In this experiment we generatecomponent APUFs using the random placement design strategy to construct iPUFs andXOR APUFs.

We measured 200,000 CRPs for each XOR APUF and iPUF. We then used CRP basedCMA-ES to optimize each model given the 200,000 CRPs. To further reduce the influenceof noisy CRPs in this attack, for each CRP we did a majority voting from 11 repeatedmeasurements. We ran CRP based CMA-ES on this training dataset 10 times to avoidthe possible failure introduced by the probabilistic nature of the algorithm. The resultsare shown in Figure 5.

Strict Avalanche Property: We also tested SAC property of an implemented (3,3)-iPUF, where each component APUF is generated by random placement (see Section 9.1).The shape is shown in Figure 6, which is similar to Figure 3.

Reliability of the iPUF with respect to Interposed Position: We selected 22 and23 unique component APUFs to construct a (20,2)-iPUF and a (20,3)-iPUF respectivelyon the FPGA. We evaluated how the noise rate was affected by changing the interposedpositions in the lower XOR APUFs. We tested 5 different interposed bit positions (0,16, 32, 48, 64). The noise rate of the (20,2)-iPUF and the (20,3)-iPUF with respect tointerposed position are shown in Figure 7. This follows the same trend as the simulationresult in Figure 4. Note that the reliability is equal to (1-noise rate) or (100%− noise rate)in percentage.


Attacks

0

0.25

0.5

0.75

1

0 16 32 48 64

p i

Challenge Bit Index (i)

FPGA implemented PUF

Figure 6: SAC property of the 64-bit (3,3)-iPUF with real data.

0

0.1

0.2

0 16 32 48 64

Noi

se R

ate

Feedback Position

(20,2)-IPUF(20,3)-IPUF

2-XOR PUF3-XOR PUF

20-XOR PUF23-XOR PUF

Figure 7: Reliability with respect to different interpose position.

Reliability of iPUF under Temperature Variation: We used a (3, 3)-iPUF forreliability testing under temperature variation, where each APUF is created by randomplacement, and has good uniformity and uniqueness. We measured 1,000 CRPs from thisiPUF under 25 degree Celsius as the reference CRPs. We then measured the same 1,000CRPs again under 70 degrees and 0 degrees Celsius. The error rate introduced by 70degrees and 0 degrees Celsius is 2.1% and 1.4%, respectively.

9.3 Security Issue Introduced by Careless ImplementationWe also used two APUFs created by random placement to form a (1,1)-iPUF with aninterposed position exactly in the middle in the lower APUF. Again, we measured 200,000CRPs with each CRP measurement repeated 11 times to get the challenge reliabilitymeasurements. We then sampled a subset of 90,000 challenge reliability pairs out of the200,000 challenge reliability pairs to run the reliability-based CMA-ES attack. CMA-ESwas able to converge to the model of the upper APUF with 96.6% accuracy. According toour previous analysis and simulation results, only the model of the lower APUF shouldbe built with up to 75% accuracy (i.e., the reliability-based machine learning attack on a(1,1)-iPUF is equivalent to the linear approximation reliability-based CMA-ES). WhenCMA-ES converged to the model of the lower APUF, the accuracy was upper bounded by75%, which confirms our theoretical analysis.

When we discovered the phenomenon of biased weights in the APUFs generated byrandom placement, we further investigated why this implementation affects the security


Table 9: Results of the enhanced reliability-based CMA-ES attack on a (1,1)-iPUF withbiased weights.

SAC Upper Lower Failed4 0.39 0 10 08 0.58 9 1 012 0.54 2 8 016 0.32 0 9 120 0.41 0 10 0

Figure 8: The weight distribution of the lower APUF in a (1,1)-iPUF where the numberof large weights (> 3) is constrained to 4.

of iPUFs. We created APUF models with biased weights, such that the distribution thatgenerates the large weights is N (0, 6), while the standard weights are drawn from N (0, 1).We also precisely controlled the number of large weights in the second half (the half whichis closer to the output) of the lower APUF. We simulated (1,1)-iPUFs with 4, 8, 12, 16, and20 dominating weights. On each type of iPUF we performed the enhanced reliability-basedCMA-ES attack 10 times. The results are shown in Table 9.

From Table 9, we can see that the SAC value of the middle bit of the lower APUF willaffect its security. The SAC value is computed by the probability that a bit flip in themiddle challenge bit of the lower APUF will flip the final output bit. The larger the SACvalue is, the higher the chance that the reliability information of the upper APUF will beexposed to adversaries. This leads to a successful attack on the upper APUF with higherprobability. Ideally, the SAC value of the middle bit should be 50%, but due to the biaseddistribution in the weights on FPGAs, the SAC value can be possibly higher than normal.From the computed SAC values, the reliability-based CMA-ES attack is supposed tonot converge to the upper APUF because they are good enough to prevent the attackaccording to our analysis in Section 6.4. However, the attack still works very well whenthe number of dominating weights is 8 or 12.

Security Analysis. We can explain this fact as follows. The interposed bit at themiddle splits the lower APUF into two parts: the flipping part which is closer to the 0-thchallenge bit and the non-flipping part which is closer to the output of iPUF. For thesake of explanation, we assume that all small weights are equal to 0. The motivation ofassuming this is that if the biased weights are significant larger than the small weights, wecan ignore all the small weights. We assume that there are k biased weights in the flippingpart and m biased weights in the non-flipping part. Moreover, the biased weights follow a


Attacks

normal distribution N (0, σ2b ). From Equation (13), we can write

∆ = (1− 2c[n/2])×∆Flipping + ∆Non−Flipping,

where ∆Flipping =∑n/2i=0 w[i] Ψ[i]

(1−2c[n/2]) and ∆Non−Flipping =∑ni=n/2+1 w[i]Ψ[i]. Since

we have k + m biased weights, ∆Flipping and ∆Non−Flipping only depend on k and mweights, respectively. This implies ∆Flipping and ∆Non−Flipping follow normal distributionsN (0, kσ2

b ) and N (0,mσ2b ), respectively. We know that, for a given challenge c, the output

of the lower APUF would flip by flipping challenge bit c[n/2] when |∆Non−Flipping| <|∆Flipping|. It is obvious that the smaller |∆Non−Flipping| (let’s say < e), the higher thechance the output will be flipped. Since ∆Non−Flipping ∼ N (0,mσ2

b ),

Pr(|∆Non−Flipping| < e) = Φ( e√mσb

)− Φ( −e√mσb

)

= 2Φ( e√mσb

)− 1.

If m increases, then Pr(|∆Non−Flipping| < e) decreases for any given small positivenumber e. This implies that the leakage of information is reduced when increasing m.This explains why the number of convergences to the upper APUF for the case m = 8 islarger than for when m = 12. Of course, when m is large enough, the attack does notwork. In our simulation, we just need m to be larger than 16 to prevent the attack. In oursimulation, we noticed that when m = 4, the attack does not work. The weights of lowerAPUF when m = 4 is described in Figure 8. We give the following possible reasoning. Inthe non-flipping part, there are two significant large weights and the second largest weightamong the two is much smaller (< 13) than the largest one (≈ 23). Moreover, both of themare much bigger than the remaining weights. The smallest value of |∆Non−Flipping| is 10and largest value is 36. This implies that |∆Non−Flipping| is always larger than |∆Flipping|.It means that the leakage of the output of the upper APUF is very small and thus, theattack does not work. Actually in this case, the SAC property for m = 4 is 0.39 which issmaller than ideal SAC of 0.5.

Discussion. What if the biased delay value is at the interposed stages of the lower y-XORAPUFs in an iPUF?

We will discuss this situation in two cases: (a) Suppose that the delay values at theinterposed stages of the lower y-XOR APUFs are very small comparing with the otherdelay values, then the delay introduced by the interposed stages are very small, but theresponse of the upper x-XOR APUF still affects the final response of y-XOR APUF. Thisis because the challenge bit decides whether to swap the accumulated delay values ofall the stages in front of the interposed stage, and this still introduces a large impact tothe final response of y-XOR APUF and the iPUF as a whole. (b) The second case is ifthe interposed stages have a very large delay that is comparable with the accumulateddelay of all the other stages in the y-XOR APUF. In this case then the final response ofthe iPUF will be largely influenced by the x-XOR APUF and it will be defeated by thereliability-based CMA-ES attack.

To comment on the possibility of this event, we note that it is extremely rare that thedelay values at the interposed stages of every single APUF in the y-XOR APUF are largerthan the accumulated delays of all the other stages in a good implementation. Thus, thiswill not be a concern in terms of security for a correctly implemented iPUF.

10 ConclusionIn this paper, we develop three main contributions. First, we comprehensively analyzedthe reliability-based CMA-ES attack to understand how it works and how to enhance it.


Second we propose a new PUF design, the (x, y)-iPUF. We prove through theory andexperimentation that the iPUF is not vulnerable to the strongest known reliability-basedmachine learning attack (reliability-based CMA-ES) and the strongest known classicalmachine learning attack (Logistic Regression). Our final contribution is publicly availablesource code for all our iPUF, XOR APUF and APUF attack simulations written inMatlab and C#. We also provide source code for the FPGA implementation of theXOR APUF and iPUF. All codes for this paper can be found in DA PUF Library onGithub. Since the iPUF has more advantages in terms of security, reliability and hardwareoverhead compared to the XOR APUF, it implies that the iPUF can be considereda standard design or primitive replacement for the XOR APUF. As a next step,we propose to implement the iPUF in ASIC (Application Specific Integrated Circuit) inorder to overcome the uniqueness problem encountered in FPGA implementations.

AcknowledgmentThis project was supported in part by the AFOSR MURI under award number FA9550-14-1-0351. Ulrich Rührmair gratefully acknowledges funding by the PICOLA project ofthe German Bundesministerium für Bildung und Forschung (BMBF).


Attacks

A AppendixA.1 The Arbiter PUF and its XORed Versions

c[0] c[1] c[n-1]

Clk

D Q r

Arbiter

Path-swapping switchTrigger signal Upper path Lower path

Figure 9: Arbiter PUF.

We briefly introduce the design of Arbiter PUFs (APUFs) and the reader is referredto [GCvDD02] for further details. The design of an APUF is depicted in Figure 9. It isa delay-based silicon PUF with n-bit challenge c = (c[0], c[1], . . . , c[n− 1]) that extractsrandom variation in silicon in terms of the delay difference of two symmetrically laidout parallel delay lines. Ideally, the nominal delay difference between these path pairsshould be 0, but this does not happen due to uncontrollable random variation in themanufacturing process that introduces random offset between the two path delays. Ingeneral, an n-bit APUF comprises of n switches connected serially to build two distinct,but symmetrical paths. The arbiter which is located at the end of the two paths is usedto decide which path is faster. The challenge bits c[0], c[1], . . . , c[n− 1] are used as thecontrol input of path-swapping switches that eventually results in two paths and inputstimulus runs through these two paths. The arbiter declares which path wins the race inthe form of a 0 or 1 response. Typically, the response of an APUF is defined by

r =

1, if the signal at the upper path runs faster0, otherwise.

The most important feature of this design is its small hardware overhead, i.e. thehardware overhead of an n-bit APUF is linearly proportional to the number of challengebits n.

c Ai ri

A0 r0

Ax−1 rx−1

r

Figure 10: x-XOR APUF.

Due to the existence of a linear additive delay model of the APUF, see Eq.(1), amodeling attack is applicable [LLG+05, RSS+10]. In [SD07], the authors proposed thedesign of an x-XOR APUF which enjoys better modeling resistance. Figure 10 describesthe design of an x-XOR APUF.

A.2 Analysis of Influence of Challenge Bit c[j] on the Response r inthe APUF

In this section, we explain

Prc(rc[j]=0 = rc[j]=1) ≈ (n− j)n

, j = 0, . . . , n− 1.


Let us examine under which conditions rc[j]=0 will equal rc[j]=1. Assume for a specificchallenge c we fix all bits (except for c[j]) and the output r is 0 regardless of thevalue of c[j]. This means ∆c[j]=0 = ∆Flipping + ∆Non−Flipping > 0 when c[j] = 0 and∆c[j]=1 = −∆Flipping + ∆Non−Flipping > 0 when c[j] = 1. From this example, it is easy toderive that rc[j]=0 = rc[j]=1 if and only if |∆Flipping| ≤ |∆Non−Flipping| so that:

Prc(rc[j]=0 = rc[j]=1) = Pr(|∆Flipping| ≤ |∆Non−Flipping|). (29)

We follow existing PUF literature [Lim04, LP14] and assume that when generatingan instance of an APUF all wi are sampled from the same normal distribution N (0, σ2)and hence, ∆Flipping ∼ N (0, (j + 1)× σ2) and ∆Non−Flipping ∼ N (0, (n− j)× σ2). ThusPrc(rc[j]=0 = rc[j]=1) is equal to:

= Pr(|∆Flipping| ≤ |∆Non−Flipping|) (30)

= 4×∫ ∞

0φ0,(n−j)σ2(u)Φ0,(j+1)σ2(−u) du,

where φµ,σ2(·) and Φµ,σ2 are the probability distribution function and cumulative distribu-tion function of a normal distribution N (µ, σ2), respectively. Experimentally it has beenshown [MKP09, DGSV14, NSCM16] that Eq. (30) can be approximated as:

Prc(rc[j]=0 = rc[j]=1) ≈ (n− j)n

, j = 0, . . . , n− 1.

A.3 MPUF’s VulnerabilityMPUF was introduced in [SMCN18] but it is also not secure against the reliability-basedCMA-ES attack (see Algorithm 1 in Section 5 in [SMCN18]). To make the MPUF morerobust against the reliability-based CMA-ES attack, the authors propose rMPUF (seeFigure 3 in [SMCN18]). The rMPUF can be broken by using a modified version ofAlgorithm 1 and the reliability-based CMA-ES attack as well. Note that the notation Asis proposed in Figure 3 in [SMCN18]. First we learn the APUF As on the multiplexerclosest to the output using the reliability-based CMA-ES attack (this PUF has more noisyCRPs in the dataset, so the reliability-based CMA-ES attack is more likely to convergeto this model). Next we use our learned model to determine which CRPs are reliable forAs. Using these As reliable CRPs we create a new dataset for the rMPUF and run thereliability-based CMA-ES attack on the new dataset to learn the next PUF closest to theoutput (since the new dataset only has CRPs that are reliable for As we know that thereliability-based CMA-ES attack will most likely converge to the next nosiest PUF). Wecan repeat this process until we have learned all the APUFs in the rMPUF. It is importantto note that this attack works on the rMPUF, this attack does not work on the iPUFbecause we cannot learn any of the APUFs in the iPUF. Clearly, this approach cannot beapplied to iPUF because it requires the reliability-based CMA-ES attack to learn at leastone APUF component in every step.

A.4 k-junta TestTo test the number of influential inputs in a given function, k-junta test is usually appliedto the function. The concept of k-junta is defined as follows:

Definition 3. [k-junta] A function f : Ωn → Z is a k-junta iff there is a subset J ⊆ [n]with |J | ≤ k and function g : ΩJ → Z such that for all x ∈ Ωn, f(x) = g(xJ) wherexJ = (xj1, ..., xjk) for J = j1, ..., jk.

The k-junta test [Bea] algorithm can help us determine whether a given function f


Attacks

• f is a k-junta, or

• f is ε-far from any k-junta, where we say two functions f and g are ε-far under acertain distribution µ iff Px∼µ[f(x) 6= g(x)] > ε.

The algorithm of k-junta test works as follows [Bea]:

Algorithm 1 k-junta test [Bea]

1: procedure JuntaTest(f , k, ε)2: s← (k/ε)O(1)

3: t← 12(k + 1)/ε4: Randomly partition [n] in s sets I1, ..., Is; i.e., choose a random h : [n]→ [s] and

let Ij = i|h(i) = j.5: S ← [n]6: l← 07: for r ← 1 to t do8: Choose x, y independently from Ωn9: ys ← xs10: if f(x) 6= f(y) then11: Use binary search on [s] to find a set Ij such that Ij contains an influential

variable12: Remove Ij from S13: l← l + 114: if l > k then15: Output “Not a k-junta” and halt16: end if17: end if18: end for19: Output “k-junta”20: end procedure

Since it only generates output with probability > 23 , in practice we have to run this

test repeatedly to gain a higher confidence in the result.


References[Bea] Paul Beame. Lecture 16: Property Testing of Functions, Junta Testing.

Technical report.

[Bec14] Georg T. Becker. On the Pitfalls of using Arbiter-PUFs as Building Blocks.IACR Cryptology ePrint Archive, 2014:532, 2014.

[Bec15] Georg T. Becker. The Gap Between Promise and Reality: On the Insecurity ofXOR Arbiter PUFs. In Proc. of 17th International Workshop on CryptographicHardware and Embedded Systems ( CHES), 2015.

[BFSK11] Christina Brzuska, Marc Fischlin, Heike Schrauder, and Stefan Katzenbeisser.Physically Uncloneable Functions in the Universal Composition Framework.In Phillip Rogaway, editor, CRYPTO, pages 51–70. 2011.

[CCL+11] Qingqing Chen, G. Csaba, P. Lugli, U. Schlichtmann, and U. R ührmair.The Bistable Ring PUF: A new architecture for strong Physical UnclonableFunctions. In Proc. of IEEE International Symposium on Hardware-OrientedSecurity and Trust (HOST), pages 134 –141, june 2011.

[DGSV14] Jeroen Delvaux, Dawu Gu, Dries Schellekens, and Ingrid Verbauwhede. SecureLightweight Entity Authentication with Strong PUFs: Mission Impossible?In Proc. of 16th International Workshop on Cryptographic Hardware andEmbedded Systems ( CHES), pages 451–475, 2014.

[Dig16] Digilent. Nexys 4 DDR Reference Manual, Apr. 2016. [Accessed Feb., 2018].

[DR02] Joan Daemen and Vincent Rijmen. The Desigsn of Rijndael. Springer-Verlag,Berlin, Heidelberg, 2002.

[DRS04] Yevgeniy Dodis, Leonid Reyzin, and Adam Smith. Fuzzy Extractors: How toGenerate Strong Keys from Biometrics and Other Noisy Data. In ChristianCachin and Jan L. Camenisch, editor, EUROCRYPT, pages 523–540. 2004.

[DV13] J. Delvaux and I. Verbauwhede. Side Channel Modeling Attacks on 65nmArbiter PUFs Exploiting CMOS Device Noise. In IEEE 6th Int. Symposiumon Hardware-Oriented Security and Trust , 2013.

[GBC16] Ian Goodfellow, Yoshua Bengio, and Aaron Courville. Deep Learning. TheMIT Press, 2016.

[GCvDD02] Blaise Gassend, Dwaine Clarke, Marten van Dijk, and Srinivas Devadas.Silicon physical random functions. In ACM CCS, 2002.

[GTFS16] Fatemeh Ganji, Shahin Tajik, Fabian Fäßler, and Jean-Pierre Seifert. StrongMachine Learning Attack against PUFs with No Mathematical Model. InCHES, pages 391–411. Springer Berlin Heidelberg, 2016.

[GTS15] Fatemeh Ganji, Shahin Tajik, and Jean-Pierre Seifert. Why attackers win: onthe learnability of XOR arbiter PUFs. In International Conference on Trustand Trustworthy Computing, pages 22–39. Springer International Publishing,2015.

[GTS16] Fatemeh Ganji, Shahin Tajik, and Jean-Pierre Seifert. PAC learning of arbiterPUFs. Journal of Cryptographic Engineering, 6(3):249–258, 2016.

[Han16] Nikolaus Hansen. The CMA Evolution Strategy: A Tutorial. CoRR,abs/1604.00772, 2016.


Attacks

[HAP09] Ryan Helinski, Dhruva Acharyya, and Jim Plusquellic. A physical unclonablefunction defined using power distribution system equivalent resistance varia-tions. In Proc. of 46th Annual Design Automation Conference( DAC ), pages676–681, New York, NY, USA, 2009. ACM.

[HRvD+17] Charles Herder, Ling Ren, Marten van Dijk, Meng-Day Yu, and Srini-vas Devadas. Trapdoor computational fuzzy extractors and statelesscryptographically-secure physical unclonable functions. IEEE Transactionson Dependable and Secure Computing, 14(1):65–82, 2017.

[HYKS10] Y. Hori, T. Yoshida, T. Katashita, and A. Satoh. Quantitative and StatisticalPerformance Evaluation of Arbiter Physical Unclonable Functions on FPGAs.In Proceedings of International Conference on Reconfigurable Computing andFPGAs (ReConFig), pages 298 –303, dec. 2010.

[JHR+17] Chenglu Jin, Charles Herder, Ling Ren, Phuong Ha Nguyen, BenjaminFuller, Srinivas Devadas, and Marten van Dijk. FPGA Implementationof a Cryptographically-Secure PUF Based on Learning Parity with Noise.Cryptography, 1(3):23, 2017.

[KB14] Diederik P. Kingma and Jimmy Ba. Adam: A Method for Stochastic Opti-mization. CoRR, abs/1412.6980, 2014.

[KGM+08] S.S. Kumar, J. Guajardo, R. Maes, G.-J. Schrijen, and P. Tuyls. Extendedabstract: The butterfly PUF protecting IP on every FPGA. In HOST, pages67–70, June 2008.

[Lim04] Daihyun Lim. Extracting Secret Keys from Integrated Circuits. Master’sthesis, MIT, USA, 2004.

[LLG+05] Daihyun Lim, Jae W. Lee, Blaise Gassend, G. Edward Suh, Marten van Dijk,and Srini Devadas. Extracting secret keys from integrated circuits. IEEETransactions on Very Large Scale Integration (VLSI) Systems, 13(10):1200–1205, October 2005.

[LP14] Yingjie Lao and Keshab K. Parhi. Statistical Analysis of MUX-Based PhysicalUnclonable Functions. IEEE Trans. on CAD of Integrated Circuits andSystems, 33(5):649–662, 2014.

[MGS11] Abhranil Maiti, Vikash Gunreddy, and Patrick Schaumont. A SystematicMethod to Evaluate and Compare the Performance of Physical UnclonableFunctions. IACR Cryptology ePrint Archive, 2011:657, 2011.

[MKD10] Mehrdad Majzoobi, Farinaz Koushanfar, and Srinivas Devadas. Fpga puf usingprogrammable delay lines. In Information Forensics and Security (WIFS),2010 IEEE International Workshop on, pages 1–6. IEEE, 2010.

[MKP08] M. Majzoobi, F. Koushanfar, and M. Potkonjak. Testing Techniques forHardware Security. In Proc. of IEEE International Test Conference(ITC),pages 1–10, Oct. 2008.

[MKP09] Mehrdad Majzoobi, Farinaz Koushanfar, and Miodrag Potkonjak. Techniquesfor Design and Implementation of Secure Reconfigurable PUFs. ACM Trans.Reconfigurable Technol. Syst., 2(1):1–33, 2009.

[MOV96] A. Menezes, P.V. Oorschot, and S. Vanstone. Handbook of Applied Cryptogra-phy. CRC Press, Inc., 1996.


[MV10] Roel Maes and Ingrid Verbauwhede. Physically Unclonable Functions: AStudy on the State of the Art and Future Research Directions. In Ahmad-Reza Sadeghi and David Naccache, editors, Towards Hardware-IntrinsicSecurity, Information Security and Cryptography, pages 3–37. Springer, BerlinHeidelberg, 2010.

[MYIS14] Takanori Machida, Dai Yamamoto, Mitsugu Iwamoto, and Kazuo Sakiyama.A New Mode of Operation for Arbiter PUF to Improve Uniqueness on FPGA.In Proc. of Federated Conference on Computer Science and InformationSystems (FedCSIS), pages 871–878, 2014.

[NSCM16] Phuong Ha Nguyen, Durga Prasad Sahoo, Rajat Subhra Chakraborty,and Debdeep Mukhopadhyay. Security Analysis of Arbiter PUF and ItsLightweight Compositions Under Predictability Test. ACM TODAES,22(2):20, 2016.

[RJB+11] U. Rührmair, C. Jaeger, M. Bator, M. Stutzmann, P. Lugli, and G. Csaba.Applications of High-Capacity Crossbar Memories in Cryptography. IEEETransactions on Nanotechnology, 10(3):489 –498, may 2011.

[RSS+10] Ulrich Rührmair, Frank Sehnke, Jan Sölter, Gideon Dror, Srinivas Devadas,and Jürgen Schmidhuber. Modeling attacks on physical unclonable func-tions. In Proc. of 17th ACM conference on Computer and communicationssecurity(CCS), pages 237–249, New York, NY, USA, 2010. ACM.

[RXS+14] Ulrich Rührmair, Xiaolin Xu, Jan Sölter, Ahmed Mahmoud, Mehrdad Ma-jzoobi, Farinaz Koushanfar, and Wayne P. Burleson. Efficient Power andTiming Side Channels for Physical Unclonable Functions. In Proc. of 16thInternational Workshop on Cryptographic Hardware and Embedded Systems (CHES), pages 476–492, 2014.

[SBC18] Pranesh Santikellur, Aritra Bhattacharyay, and Rajat Subhra Chakraborty.Github: Modeling of apuf compositions, 2018. [Accessed Aug., 2018].

[SBC19] Pranesh Santikellur, Aritra Bhattacharyay, and Rajat Subhra Chakraborty.Deep Learning based Model Building Attacks on Arbiter PUF Compositions.IACR Cryptology ePrint Archive, 2019:566, 2019.

[Sch16] M. Georg. Schroder. Logistic Regression A Self Learning Text. 2016.

[SCM15] Durga Prasad Sahoo, Rajat Subhra Chakraborty, and Debdeep Mukhopad-hyay. Towards ideal arbiter puf design on xilinx fpga: A practitioner’sperspective. In Digital System Design (DSD), 2015 Euromicro Conferenceon, pages 559–562. IEEE, 2015.

[SD07] G. Edward Suh and Srinivas Devadas. Physical unclonable functions fordevice authentication and secret key generation. In DAC, pages 9–14, 2007.

[SH14] Dieter Schuster and Robert Hesselbarth. Evaluation of Bistable Ring PUFsUsing Single Layer Neural Networks. In Trust and Trustworthy Computing -7th International Conference, TRUST 2014, Heraklion, Crete, Greece, June30 - July 2, 2014. Proceedings, pages 101–109, 2014.

[SMCN18] Durga Prasad Sahoo, Debdeep Mukhopadhyay, Rajat Subhra Chakraborty,and Phuong Ha Nguyen. A Multiplexer-Based Arbiter PUF Compositionwith Enhanced Reliability and Security. IEEE Transactions on Computers,67(3):403–417, 2018.


Attacks

[SNMC15] Durga Prasad Sahoo, Phuong Ha Nguyen, Debdeep Mukhopadhyay, andRajat Subhra Chakraborty. A Case of Lightweight PUF Constructions:Cryptanalysis and Machine Learning Attacks. IEEE TCAD, 2015.

[Söl09] Jan Sölter. Cryptanalysis of Electrical PUFs via Machine Learning Algorithms.Master’s thesis, Technische Universität München, 2009.

[TB15] Johannes Tobisch and Georg T. Becker. On the Scaling of Machine LearningAttacks on PUFs with Application to Noise Bifurcation. In Proc. of 11thInternational Workshop on Radio Frequency Identification: Security andPrivacy Issues (RFIDsec), pages 17–31, 2015.

[TDF+14] Shahin Tajik, Enrico Dietz, Sven Frohmann, Jean-Pierre Seifert, DmitryNedospasov, Clemens Helfmeier, Christian Boit, and Helmar Dittrich. PhysicalCharacterization of Arbiter PUFs. In Cryptographic Hardware and EmbeddedSystems - CHES 2014 - 16th International Workshop, Busan, South Korea,September 23-26, 2014. Proceedings, pages 493–509, 2014.

[TLG+15] S. Tajik, H. Lohrke, F. Ganji, J. P. Seifert, and C. Boit. Laser Fault Attackon Physically Unclonable Functions. In 12th Workshop on Fault Diagnosisand Tolerance in Cryptography (FTDC), 2015.

[WGM+17] Nils Wisiol, Christoph Graebnitz, Marian Margraf, Manuel Oswald, TudorSoroceanu, and Benjamin Zengin. Why Attackers Lose: Design and SecurityAnalysis of Arbitrarily Large XOR Arbiter PUFs. 2017.

[XRHB15] Xiaolin Xu, Ulrich Rührmair, Daniel E. Holcomb, and Wayne P. Burleson.Security Evaluation and Enhancement of Bistable Ring PUFs. In Proc. of11th International Workshop on Radio Frequency Identification: Security andPrivacy Issues (RFIDsec), pages 3–16, 2015.

[YHD+16] Meng-Day Yu, Matthias Hiller, Jeroen Delvaux, Richard Sowell, SrinivasDevadas, and Ingrid Verbauwhede. A lockdown technique to prevent machinelearning on PUFs for lightweight authentication. 2016.

[YKL+13] Yida Yao, Myung-Bo Kim, Jianmin Li, Igor L. Markov, and Farinaz Koushan-far. ClockPUF: Physical Unclonable Functions based on Clock Networks. InDesign, Automation & Test in Europe (DATE), Grenoble, France, 2013.

[YMSD11] Meng-Day (Mandel) Yu, David M’Raïhi, Richard Sowell, and Srinivas Devadas.Lightweight and Secure PUF Key Storage Using Limits of Machine Learning.In CHES, pages 358–373, 2011.

The Interpose PUF: Secure PUF Design against …to obtain a software model of a PUF by using...

Documents

Transcript of The Interpose PUF: Secure PUF Design against …to obtain a software model of a PUF by using...